fix: remove use of sudo to allow running from root shell for repeat runs

2025-09-18 02:39:42 +02:00 · 2025-09-18 02:39:42 +02:00 · bbd2e01bac
commit bbd2e01bac
parent abf2dd653d
6 changed files with 13 additions and 11 deletions
--- a/fedora-42-dev.yaml
+++ b/fedora-42-dev.yaml
@ -25,13 +25,15 @@
      vars:
        enable_webgl: false

-    - name: 'Install wireguard-tools and neovim and gdb and podman'
+    - name: 'Install wireguard-tools and neovim and gdb and podman and other devtools'
      ansible.builtin.dnf5:
        name:
          - wireguard-tools
          - neovim
          - gdb
          - podman
+          - glibc-devel
+          - opentofu
        state: 'present'
  
    - name: 'Handle SUID binaries'
--- a/remove_suid.sh
+++ b/remove_suid.sh
@ -73,8 +73,8 @@ is_in_whitelist() {
    return 1
 }

-sudo passwd -l root
-sudo dnf remove sudo-python-plugin
+passwd -l root
+dnf remove sudo-python-plugin

 find /usr -type f -perm /4000 |
    while IFS= read -r binary; do
--- a/roles/baseline/tasks/main.yaml
+++ b/roles/baseline/tasks/main.yaml
@ -100,7 +100,7 @@
  - 'etc/dconf/db/local.d/privacy'

 - name: Update dconf
-  shell: sudo dconf update
+  shell: 'dconf update'

 - name: Setup ZRAM, flatpak updater and environment variables to disable GJS + WebkitGTK JIT
  ansible.builtin.copy:
@ -125,10 +125,10 @@
    state: latest

 - name: Mark packages as manually installed to avoid removal
-  shell: 'sudo dnf mark user flatpak gnome-menus qubes-menus -y'
+  shell: 'dnf mark user flatpak gnome-menus qubes-menus -y'

 - name: Enable hardened_malloc COPR
-  shell: 'sudo dnf copr enable secureblue/hardened_malloc -y'
+  shell: 'dnf copr enable secureblue/hardened_malloc -y'

 - name: Install hardened_malloc
  ansible.builtin.dnf5:
@ -153,7 +153,7 @@
  when: use_hardened_malloc == true

 - name: Enable hardened_malloc for system wide flatpak
-  shell: 'sudo flatpak override --system --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so'
+  shell: 'flatpak override --system --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so'
  when: use_hardened_malloc == true

 - name: Enable hardened_malloc for user flatpak # has to be run per APP VM
--- a/roles/baseline/templates/etc/sysctl.d/99-workstation.conf.j2
+++ b/roles/baseline/templates/etc/sysctl.d/99-workstation.conf.j2
@ -44,7 +44,7 @@ kernel.unprivileged_userns_clone = 1

 # Disable ptrace. Not needed on workstations.
 {% if allow_ptrace %}
-kernel.yama.ptrace_scope = 2
+kernel.yama.ptrace_scope = 1
 {% else %}
 kernel.yama.ptrace_scope = 3
 {% endif %}
--- a/roles/gnome/tasks/main.yaml
+++ b/roles/gnome/tasks/main.yaml
@ -9,7 +9,7 @@
    state: latest

 - name: Mark packages as manually installed to avoid removal
-  shell: 'sudo dnf mark user flatpak gnome-menus qubes-menus -y'
+  shell: 'dnf mark user flatpak gnome-menus qubes-menus -y'

 - name: Remove unnecessary stuff from the template
  ansible.builtin.dnf5:
--- a/roles/trivalent/tasks/main.yaml
+++ b/roles/trivalent/tasks/main.yaml
@ -12,10 +12,10 @@
    mode: '0644'

 - name: Enable codecs and stuff
-  shell: 'sudo dnf config-manager setopt fedora-cisco-openh264.enabled=1 rpmfusion-free.enabled=1 rpmfusion-free-updates.enabled=1 rpmfusion-nonfree.enabled=1 rpmfusion-nonfree-updates.enabled=1'
+  shell: 'dnf config-manager setopt fedora-cisco-openh264.enabled=1 rpmfusion-free.enabled=1 rpmfusion-free-updates.enabled=1 rpmfusion-nonfree.enabled=1 rpmfusion-nonfree-updates.enabled=1'

 - name: Update codecs
-  shell: 'sudo dnf update @multimedia --setopt="install_weak_deps=False" --exclude=PackageKit-gstreamer-plugin'
+  shell: 'dnf update @multimedia --setopt="install_weak_deps=False" --exclude=PackageKit-gstreamer-plugin'

 - name: Update all
  ansible.builtin.dnf5: