fix(installer): stop sudo re-prompting during in-chroot module install
The base installers granted wheel sudo with `echo '%wheel ... ALL' >> /etc/sudoers`. Because the stock sudoers ends with `@includedir /etc/sudoers.d`, that appended rule is parsed AFTER the drop-ins, and since sudo applies the last matching rule, it overrode the temporary 99-setup-nopasswd NOPASSWD rule — so the user had to re-enter their password on every pacman/yay/flatpak call while the TUI installed modules. Grant wheel via /etc/sudoers.d/10-wheel instead, which sorts before 99-setup-nopasswd so NOPASSWD wins during the TUI run and password auth resumes once the temp file is removed. Also guard that @includedir is present (so the drop-ins are always read) and set both drop-ins to the canonical 0440 mode. Applied to both archbaseos-guided-install.sh and arch-autoinstall.sh. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>main
parent
b32859779e
commit
f0db333fa4
|
|
@ -497,7 +497,17 @@ useradd -m -G wheel -s /bin/zsh "$USERNAME"
|
||||||
# chpasswd reads "user:pass" from stdin to set the password non-interactively.
|
# chpasswd reads "user:pass" from stdin to set the password non-interactively.
|
||||||
echo "$USERNAME:$USERPASS" | chpasswd
|
echo "$USERNAME:$USERPASS" | chpasswd
|
||||||
# Grant wheel group full sudo access (ALL:ALL covers any user/group runas context).
|
# Grant wheel group full sudo access (ALL:ALL covers any user/group runas context).
|
||||||
echo "%wheel ALL=(ALL:ALL) ALL" >> /etc/sudoers
|
# Use a drop-in rather than appending to /etc/sudoers: the default sudoers ends
|
||||||
|
# with '@includedir /etc/sudoers.d', so an appended '%wheel' rule would be parsed
|
||||||
|
# AFTER the drop-ins and — since the last matching rule wins — override the
|
||||||
|
# temporary 99-setup-nopasswd NOPASSWD rule used during the in-chroot TUI run,
|
||||||
|
# making the user re-enter their password on every sudo. A 10-wheel drop-in sorts
|
||||||
|
# before 99-setup-nopasswd, so NOPASSWD wins while it is present and password
|
||||||
|
# auth resumes once it is removed.
|
||||||
|
# Guard that drop-ins are actually read (the stock sudoers already includes this).
|
||||||
|
grep -q '^@includedir /etc/sudoers.d' /etc/sudoers || echo '@includedir /etc/sudoers.d' >> /etc/sudoers
|
||||||
|
echo '%wheel ALL=(ALL:ALL) ALL' > /etc/sudoers.d/10-wheel
|
||||||
|
chmod 0440 /etc/sudoers.d/10-wheel
|
||||||
|
|
||||||
###################################################
|
###################################################
|
||||||
# INITRAMFS CONFIG
|
# INITRAMFS CONFIG
|
||||||
|
|
@ -588,6 +598,7 @@ if [[ "${RUN_TUI^^}" == "YES" ]]; then
|
||||||
# The file is removed immediately after the TUI exits.
|
# The file is removed immediately after the TUI exits.
|
||||||
echo "${USERNAME} ALL=(ALL) NOPASSWD: ALL" \
|
echo "${USERNAME} ALL=(ALL) NOPASSWD: ALL" \
|
||||||
| arch-chroot /mnt tee /etc/sudoers.d/99-setup-nopasswd > /dev/null
|
| arch-chroot /mnt tee /etc/sudoers.d/99-setup-nopasswd > /dev/null
|
||||||
|
arch-chroot /mnt chmod 0440 /etc/sudoers.d/99-setup-nopasswd
|
||||||
|
|
||||||
echo "Running tui-install.sh as ${USERNAME} inside chroot..."
|
echo "Running tui-install.sh as ${USERNAME} inside chroot..."
|
||||||
# `runuser -u` switches to the unprivileged user inside the chroot so that
|
# `runuser -u` switches to the unprivileged user inside the chroot so that
|
||||||
|
|
|
||||||
|
|
@ -532,7 +532,17 @@ echo "$USERNAME:$USERPASS" | chpasswd
|
||||||
chown -R "$USERNAME:$USERNAME" "/home/$USERNAME"
|
chown -R "$USERNAME:$USERNAME" "/home/$USERNAME"
|
||||||
|
|
||||||
# Grant wheel group full sudo access (ALL covers any host/user/group runas context).
|
# Grant wheel group full sudo access (ALL covers any host/user/group runas context).
|
||||||
echo "%wheel ALL=(ALL) ALL" >> /etc/sudoers
|
# Use a drop-in rather than appending to /etc/sudoers: the default sudoers ends
|
||||||
|
# with '@includedir /etc/sudoers.d', so an appended '%wheel' rule would be parsed
|
||||||
|
# AFTER the drop-ins and — since the last matching rule wins — override the
|
||||||
|
# temporary 99-setup-nopasswd NOPASSWD rule used during the in-chroot TUI run,
|
||||||
|
# making the user re-enter their password on every sudo. A 10-wheel drop-in sorts
|
||||||
|
# before 99-setup-nopasswd, so NOPASSWD wins while it is present and password
|
||||||
|
# auth resumes once it is removed.
|
||||||
|
# Guard that drop-ins are actually read (the stock sudoers already includes this).
|
||||||
|
grep -q '^@includedir /etc/sudoers.d' /etc/sudoers || echo '@includedir /etc/sudoers.d' >> /etc/sudoers
|
||||||
|
echo '%wheel ALL=(ALL) ALL' > /etc/sudoers.d/10-wheel
|
||||||
|
chmod 0440 /etc/sudoers.d/10-wheel
|
||||||
|
|
||||||
# Initramfs hook selection:
|
# Initramfs hook selection:
|
||||||
# 1. FIDO2 root unlock: needs `systemd` + `sd-encrypt` for systemd-cryptsetup.
|
# 1. FIDO2 root unlock: needs `systemd` + `sd-encrypt` for systemd-cryptsetup.
|
||||||
|
|
@ -620,6 +630,7 @@ if [[ "${_DO_TUI^^}" == "YES" ]]; then
|
||||||
# inside the chroot without a password. Removed immediately after the script exits.
|
# inside the chroot without a password. Removed immediately after the script exits.
|
||||||
echo "${USERNAME} ALL=(ALL) NOPASSWD: ALL" \
|
echo "${USERNAME} ALL=(ALL) NOPASSWD: ALL" \
|
||||||
| arch-chroot /mnt tee /etc/sudoers.d/99-setup-nopasswd > /dev/null
|
| arch-chroot /mnt tee /etc/sudoers.d/99-setup-nopasswd > /dev/null
|
||||||
|
arch-chroot /mnt chmod 0440 /etc/sudoers.d/99-setup-nopasswd
|
||||||
|
|
||||||
echo "Running tui-install.sh as ${USERNAME} inside chroot..."
|
echo "Running tui-install.sh as ${USERNAME} inside chroot..."
|
||||||
# `runuser -u` switches to the unprivileged user inside the chroot so that
|
# `runuser -u` switches to the unprivileged user inside the chroot so that
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue