Skip to content

ubuntu: Add NOPASSWD sudoers rule for 25.10 and 26.04#1813

Open
NewtonChutney wants to merge 1 commit into
containers:mainfrom
NewtonChutney:main
Open

ubuntu: Add NOPASSWD sudoers rule for 25.10 and 26.04#1813
NewtonChutney wants to merge 1 commit into
containers:mainfrom
NewtonChutney:main

Conversation

@NewtonChutney

Copy link
Copy Markdown

Ubuntu 25.10 switched from traditional C sudo to sudo-rs (Rust-based sudo). Unlike C sudo, sudo-rs does not use PAM for authentication and therefore does not honor the nullok option in /etc/pam.d/common-auth.

Toolbox creates users with an empty password (useradd --password "") and relies on PAM's nullok to accept blank authentication. With sudo-rs, this no longer works and the user gets prompted for a password.

Fix this by adding an explicit NOPASSWD sudoers drop-in for the sudo group, matching the approach already used in the Arch Containerfile. This works regardless of the sudo implementation.

Assisted by: Claude Opus 4.6 noreply@anthropic.com

Fixes #1807

@NewtonChutney NewtonChutney requested a review from Jmennius as a code owner July 2, 2026 08:05

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request configures passwordless sudo for the sudo group in Ubuntu 25.10 and 26.04 Containerfiles. The reviewer noted that files created in /etc/sudoers.d/ require strict permissions (such as 0440) to be recognized by sudo, and recommended explicitly setting these permissions to prevent the configuration from being ignored.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

RUN rm /extra-packages

# Allow passwordless sudo for the sudo group
RUN echo "%sudo ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/90-toolbx-nopasswd

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

Files in /etc/sudoers.d/ must have strict permissions (typically 0440 or 0400) and be owned by root:root. If a file has more permissive permissions (such as 0644, which is the default when created via redirection with a standard umask), sudo and sudo-rs will ignore the file or fail with a permission error. To ensure the passwordless sudo rule is honored, explicitly set the file permissions to 0440.

RUN echo "%sudo ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/90-toolbx-nopasswd && \
    chmod 0440 /etc/sudoers.d/90-toolbx-nopasswd

RUN rm /extra-packages

# Allow passwordless sudo for the sudo group
RUN echo "%sudo ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/90-toolbx-nopasswd

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

Files in /etc/sudoers.d/ must have strict permissions (typically 0440 or 0400) and be owned by root:root. If a file has more permissive permissions (such as 0644, which is the default when created via redirection with a standard umask), sudo and sudo-rs will ignore the file or fail with a permission error. To ensure the passwordless sudo rule is honored, explicitly set the file permissions to 0440.

RUN echo "%sudo ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/90-toolbx-nopasswd && \
    chmod 0440 /etc/sudoers.d/90-toolbx-nopasswd

@debarshiray debarshiray left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for catching this, @NewtonChutney ! I didn't have the time to test this, but the changes and what you have written about them look sane to me. Maybe @Jmennius (our Ubuntu maintainer) will get to testing them before me.

Could you please correct your Git authorship information with your full name and a real email address? For what it's worth, projects as diverse as GCC, GnuPG, Linux, Moby and Podman don't allow anonymous or pseudonymous contributions.

Ubuntu 25.10 switched from traditional C sudo to sudo-rs (Rust-based
sudo). Unlike C sudo, sudo-rs does not use PAM for authentication and
therefore does not honor the nullok option in /etc/pam.d/common-auth.

Toolbox creates users with an empty password (useradd --password "")
and relies on PAM's nullok to accept blank authentication. With sudo-rs,
this no longer works and the user gets prompted for a password.

Fix this by adding an explicit NOPASSWD sudoers drop-in for the sudo
group, matching the approach already used in the Arch Containerfile.
This works regardless of the sudo implementation.

Assisted by: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

F44 host + Ubuntu 26.04 client, sudo does not work due to missing NOPASSWD: in sudoers

2 participants