From 8c0a68bd61bd90698eeee9dcc1d25b16056b31db Mon Sep 17 00:00:00 2001 From: Nitin Krishna Mucheli Date: Thu, 2 Jul 2026 13:23:13 +0530 Subject: [PATCH] ubuntu: Add NOPASSWD sudoers rule for 25.10 and 26.04 Ubuntu 25.10 switched from traditional C sudo to sudo-rs (Rust-based sudo). Unlike C sudo, sudo-rs does not use PAM for authentication and therefore does not honor the nullok option in /etc/pam.d/common-auth. Toolbox creates users with an empty password (useradd --password "") and relies on PAM's nullok to accept blank authentication. With sudo-rs, this no longer works and the user gets prompted for a password. Fix this by adding an explicit NOPASSWD sudoers drop-in for the sudo group, matching the approach already used in the Arch Containerfile. This works regardless of the sudo implementation. Assisted by: Claude Opus 4.6 --- images/ubuntu/25.10/Containerfile | 3 +++ images/ubuntu/26.04/Containerfile | 3 +++ 2 files changed, 6 insertions(+) diff --git a/images/ubuntu/25.10/Containerfile b/images/ubuntu/25.10/Containerfile index 069409c75..5b46afd8e 100644 --- a/images/ubuntu/25.10/Containerfile +++ b/images/ubuntu/25.10/Containerfile @@ -27,6 +27,9 @@ RUN apt-get update && \ rm -rd /var/lib/apt/lists/* RUN rm /extra-packages +# Allow passwordless sudo for the sudo group +RUN echo "%sudo ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/90-toolbx-nopasswd + # Enable the use of p11-kit-client.so to access CA certificates from the host RUN mkdir --parents /etc/pkcs11/modules diff --git a/images/ubuntu/26.04/Containerfile b/images/ubuntu/26.04/Containerfile index f5854da08..2ccb4714b 100644 --- a/images/ubuntu/26.04/Containerfile +++ b/images/ubuntu/26.04/Containerfile @@ -27,6 +27,9 @@ RUN apt-get update && \ rm -rd /var/lib/apt/lists/* RUN rm /extra-packages +# Allow passwordless sudo for the sudo group +RUN echo "%sudo ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/90-toolbx-nopasswd + # Enable the use of p11-kit-client.so to access CA certificates from the host RUN mkdir --parents /etc/pkcs11/modules