aesthetic.computer / core
Monorepo for Aesthetic.Computer aesthetic.computer
4
fork

Configure Feed

Select the types of activity you want to include in your feed.

sudoers/ac-flash-mac: scope NOPASSWD at the script path

Previous template granted passwordless sudo for ~14 specific commands
(diskutil verbs, sgdisk, mount_msdos, etc.). The list was incomplete
(missing sgdisk --zap-all/--new, dd, newfs_msdos, sudo mkdir/cp/tee
into /tmp mount points) and brittle — every flash-mac.sh refactor risks
a passwordless gap that surfaces as a mid-flash password prompt.

Replace with a single Cmnd_Alias that whitelists flash-mac.sh itself.
The script (now run as root via auto-re-exec) does whatever it needs.
Surface stays tight: nothing else gets passwordless escalation.

Covers both the main checkout path AND any .claude/worktrees/<name>/
copy of the script — same script, different working trees.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

prompt.ac/@jeffrey 6da15d3a 351b906e

+9 -17
+9 -17
fedac/native/sudoers.d/ac-flash-mac.template
··· 1 - # /etc/sudoers.d/ac-flash-mac — passwordless sudo for the macOS USB flasher 2 - # Lets fedac/native/scripts/flash-mac.sh run end-to-end without prompting 3 - # on every external-disk operation. Scoped to the precise commands flash-mac 4 - # needs; nothing else gets passwordless escalation. 1 + # /etc/sudoers.d/ac-flash-mac — passwordless sudo for the macOS USB flasher. 2 + # Whitelists fedac/native/scripts/flash-mac.sh as a single unit because it 3 + # legitimately needs ~10 distinct privileged operations (sgdisk, dd, 4 + # newfs_msdos, diskutil, mount_msdos, etc.) — granting them piecemeal 5 + # without drift is fragile. Scoping at the script keeps the surface tight. 5 6 # 6 7 # Install with: 7 8 # sed "s/__USER__/$USER/g" fedac/native/sudoers.d/ac-flash-mac.template \ ··· 10 11 # && sudo visudo -cf /etc/sudoers.d/ac-flash-mac 11 12 12 13 Cmnd_Alias AC_FLASH_USB = \ 13 - /usr/sbin/diskutil unmountDisk /dev/disk*, \ 14 - /usr/sbin/diskutil unmountDisk force /dev/disk*, \ 15 - /usr/sbin/diskutil unmount /dev/disk*, \ 16 - /usr/sbin/diskutil mount /dev/disk*, \ 17 - /usr/sbin/diskutil eject /dev/disk*, \ 18 - /usr/sbin/diskutil partitionDisk /dev/disk* *, \ 19 - /usr/sbin/diskutil eraseDisk * /dev/disk*, \ 20 - /opt/homebrew/bin/sgdisk -t * /dev/disk*, \ 21 - /opt/homebrew/bin/sgdisk -p /dev/disk*, \ 22 - /sbin/mount_msdos /dev/disk*, \ 23 - /sbin/mount_msdos /dev/disk* /Volumes/*, \ 24 - /bin/mkdir -p /Volumes/*, \ 25 - /usr/bin/tee /Volumes/*/* 14 + /Users/__USER__/aesthetic-computer/fedac/native/scripts/flash-mac.sh, \ 15 + /Users/__USER__/aesthetic-computer/fedac/native/scripts/flash-mac.sh *, \ 16 + /Users/__USER__/aesthetic-computer/.claude/worktrees/*/fedac/native/scripts/flash-mac.sh, \ 17 + /Users/__USER__/aesthetic-computer/.claude/worktrees/*/fedac/native/scripts/flash-mac.sh * 26 18 27 19 __USER__ ALL=(root) NOPASSWD: AC_FLASH_USB