From baece04bba8d85cc13d5e55de23ca7823b2cbe8d Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Thu, 6 Nov 2025 15:19:48 +0000
Subject: [PATCH] fix: Configure sudo for specific commands only

Changed sudo configuration to allow NOPASSWD for specific commands only:
- pacman -Syu --noconfirm (system update)
- rm -rf /var/lib/pacman/db.lck (unlock pacman)
- poweroff (shutdown)
- reboot (reboot)

This is more secure than allowing all commands without password.
---
 build.zsh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/build.zsh b/build.zsh
index 00980ee..9a90421 100755
--- a/build.zsh
+++ b/build.zsh
@@ -29,8 +29,8 @@ cp -rf ./cfg/os-release root.x86_64/var/lib/machines/arch/etc/os-release
 arch-chroot root.x86_64/var/lib/machines/arch /bin/sh -c 'useradd -m -G wheel -s /bin/zsh ai'
 arch-chroot root.x86_64/var/lib/machines/arch /bin/sh -c 'echo "ai:root" | chpasswd'
 
-# Enable wheel group for sudo
-arch-chroot root.x86_64/var/lib/machines/arch /bin/sh -c 'sed -i "s/^# %wheel ALL=(ALL:ALL) ALL/%wheel ALL=(ALL:ALL) ALL/" /etc/sudoers'
+# Enable wheel group for sudo (specific commands without password)
+arch-chroot root.x86_64/var/lib/machines/arch /bin/sh -c 'echo "%wheel ALL=(ALL:ALL) NOPASSWD: /usr/bin/pacman -Syu --noconfirm, /usr/bin/rm -rf /var/lib/pacman/db.lck, /usr/bin/poweroff, /usr/bin/reboot" >> /etc/sudoers'
 
 # Setup auto-login for user 'ai'
 arch-chroot root.x86_64/var/lib/machines/arch /bin/sh -c 'mkdir -p /etc/systemd/system/getty@tty1.service.d'