ubuntu: Add NOPASSWD sudoers rule for 25.10 and 26.04#1813
ubuntu: Add NOPASSWD sudoers rule for 25.10 and 26.04#1813NewtonChutney wants to merge 1 commit into
Conversation
There was a problem hiding this comment.
Code Review
This pull request configures passwordless sudo for the sudo group in Ubuntu 25.10 and 26.04 Containerfiles. The reviewer noted that files created in /etc/sudoers.d/ require strict permissions (such as 0440) to be recognized by sudo, and recommended explicitly setting these permissions to prevent the configuration from being ignored.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| RUN rm /extra-packages | ||
|
|
||
| # Allow passwordless sudo for the sudo group | ||
| RUN echo "%sudo ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/90-toolbx-nopasswd |
There was a problem hiding this comment.
Files in /etc/sudoers.d/ must have strict permissions (typically 0440 or 0400) and be owned by root:root. If a file has more permissive permissions (such as 0644, which is the default when created via redirection with a standard umask), sudo and sudo-rs will ignore the file or fail with a permission error. To ensure the passwordless sudo rule is honored, explicitly set the file permissions to 0440.
RUN echo "%sudo ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/90-toolbx-nopasswd && \
chmod 0440 /etc/sudoers.d/90-toolbx-nopasswd
| RUN rm /extra-packages | ||
|
|
||
| # Allow passwordless sudo for the sudo group | ||
| RUN echo "%sudo ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/90-toolbx-nopasswd |
There was a problem hiding this comment.
Files in /etc/sudoers.d/ must have strict permissions (typically 0440 or 0400) and be owned by root:root. If a file has more permissive permissions (such as 0644, which is the default when created via redirection with a standard umask), sudo and sudo-rs will ignore the file or fail with a permission error. To ensure the passwordless sudo rule is honored, explicitly set the file permissions to 0440.
RUN echo "%sudo ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/90-toolbx-nopasswd && \
chmod 0440 /etc/sudoers.d/90-toolbx-nopasswd
debarshiray
left a comment
There was a problem hiding this comment.
Thanks for catching this, @NewtonChutney ! I didn't have the time to test this, but the changes and what you have written about them look sane to me. Maybe @Jmennius (our Ubuntu maintainer) will get to testing them before me.
Could you please correct your Git authorship information with your full name and a real email address? For what it's worth, projects as diverse as GCC, GnuPG, Linux, Moby and Podman don't allow anonymous or pseudonymous contributions.
Ubuntu 25.10 switched from traditional C sudo to sudo-rs (Rust-based sudo). Unlike C sudo, sudo-rs does not use PAM for authentication and therefore does not honor the nullok option in /etc/pam.d/common-auth. Toolbox creates users with an empty password (useradd --password "") and relies on PAM's nullok to accept blank authentication. With sudo-rs, this no longer works and the user gets prompted for a password. Fix this by adding an explicit NOPASSWD sudoers drop-in for the sudo group, matching the approach already used in the Arch Containerfile. This works regardless of the sudo implementation. Assisted by: Claude Opus 4.6 <noreply@anthropic.com>
Ubuntu 25.10 switched from traditional C sudo to sudo-rs (Rust-based sudo). Unlike C sudo, sudo-rs does not use PAM for authentication and therefore does not honor the nullok option in /etc/pam.d/common-auth.
Toolbox creates users with an empty password (useradd --password "") and relies on PAM's nullok to accept blank authentication. With sudo-rs, this no longer works and the user gets prompted for a password.
Fix this by adding an explicit NOPASSWD sudoers drop-in for the sudo group, matching the approach already used in the Arch Containerfile. This works regardless of the sudo implementation.
Assisted by: Claude Opus 4.6 noreply@anthropic.com
Fixes #1807