fix(installer): stop sudo re-prompting during in-chroot module install

The base installers granted wheel sudo with `echo '%wheel ... ALL' >> /etc/sudoers`. Because the stock sudoers ends with `@includedir /etc/sudoers.d`, that appended rule is parsed AFTER the drop-ins, and since sudo applies the last matching rule, it overrode the temporary 99-setup-nopasswd NOPASSWD rule — so the user had to re-enter their password on every pacman/yay/flatpak call while the TUI installed modules. Grant wheel via /etc/sudoers.d/10-wheel instead, which sorts before 99-setup-nopasswd so NOPASSWD wins during the TUI run and password auth resumes once the temp file is removed. Also guard that @includedir is present (so the drop-ins are always read) and set both drop-ins to the canonical 0440 mode. Applied to both archbaseos-guided-install.sh and arch-autoinstall.sh. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-26 19:39:32 +02:00 · 2026-06-26 19:39:32 +02:00 · f0db333fa4
parent b32859779e
commit f0db333fa4
2 changed files with 24 additions and 2 deletions
--- a/setup/arch-autoinstall.sh
+++ b/setup/arch-autoinstall.sh
@ -497,7 +497,17 @@ useradd -m -G wheel -s /bin/zsh "$USERNAME"
 # chpasswd reads "user:pass" from stdin to set the password non-interactively.
 echo "$USERNAME:$USERPASS" | chpasswd
 # Grant wheel group full sudo access (ALL:ALL covers any user/group runas context).
-echo "%wheel ALL=(ALL:ALL) ALL" >> /etc/sudoers
+# Use a drop-in rather than appending to /etc/sudoers: the default sudoers ends
+# with '@includedir /etc/sudoers.d', so an appended '%wheel' rule would be parsed
+# AFTER the drop-ins and — since the last matching rule wins — override the
+# temporary 99-setup-nopasswd NOPASSWD rule used during the in-chroot TUI run,
+# making the user re-enter their password on every sudo. A 10-wheel drop-in sorts
+# before 99-setup-nopasswd, so NOPASSWD wins while it is present and password
+# auth resumes once it is removed.
+# Guard that drop-ins are actually read (the stock sudoers already includes this).
+grep -q '^@includedir /etc/sudoers.d' /etc/sudoers || echo '@includedir /etc/sudoers.d' >> /etc/sudoers
+echo '%wheel ALL=(ALL:ALL) ALL' > /etc/sudoers.d/10-wheel
+chmod 0440 /etc/sudoers.d/10-wheel

 ###################################################
 # INITRAMFS CONFIG
@ -588,6 +598,7 @@ if [[ "${RUN_TUI^^}" == "YES" ]]; then
    # The file is removed immediately after the TUI exits.
    echo "${USERNAME} ALL=(ALL) NOPASSWD: ALL" \
        | arch-chroot /mnt tee /etc/sudoers.d/99-setup-nopasswd > /dev/null
+    arch-chroot /mnt chmod 0440 /etc/sudoers.d/99-setup-nopasswd

    echo "Running tui-install.sh as ${USERNAME} inside chroot..."
    # `runuser -u` switches to the unprivileged user inside the chroot so that
--- a/setup/archbaseos-guided-install.sh
+++ b/setup/archbaseos-guided-install.sh
@ -532,7 +532,17 @@ echo "$USERNAME:$USERPASS" | chpasswd
 chown -R "$USERNAME:$USERNAME" "/home/$USERNAME"

 # Grant wheel group full sudo access (ALL covers any host/user/group runas context).
-echo "%wheel ALL=(ALL) ALL" >> /etc/sudoers
+# Use a drop-in rather than appending to /etc/sudoers: the default sudoers ends
+# with '@includedir /etc/sudoers.d', so an appended '%wheel' rule would be parsed
+# AFTER the drop-ins and — since the last matching rule wins — override the
+# temporary 99-setup-nopasswd NOPASSWD rule used during the in-chroot TUI run,
+# making the user re-enter their password on every sudo. A 10-wheel drop-in sorts
+# before 99-setup-nopasswd, so NOPASSWD wins while it is present and password
+# auth resumes once it is removed.
+# Guard that drop-ins are actually read (the stock sudoers already includes this).
+grep -q '^@includedir /etc/sudoers.d' /etc/sudoers || echo '@includedir /etc/sudoers.d' >> /etc/sudoers
+echo '%wheel ALL=(ALL) ALL' > /etc/sudoers.d/10-wheel
+chmod 0440 /etc/sudoers.d/10-wheel

 # Initramfs hook selection:
 # 1. FIDO2 root unlock: needs `systemd` + `sd-encrypt` for systemd-cryptsetup.
@ -620,6 +630,7 @@ if [[ "${_DO_TUI^^}" == "YES" ]]; then
    # inside the chroot without a password. Removed immediately after the script exits.
    echo "${USERNAME} ALL=(ALL) NOPASSWD: ALL" \
        | arch-chroot /mnt tee /etc/sudoers.d/99-setup-nopasswd > /dev/null
+    arch-chroot /mnt chmod 0440 /etc/sudoers.d/99-setup-nopasswd

    echo "Running tui-install.sh as ${USERNAME} inside chroot..."
    # `runuser -u` switches to the unprivileged user inside the chroot so that