From: Scott Worley <scottworley@scottworley.com>
Date: Sun, 29 Mar 2026 08:40:05 +0000 (-0700)
Subject: Narrow sudoers to runAs=root
X-Git-Url: http://git.scottworley.com/auto-upgrade-with-pinch/commitdiff_plain/a811aa4a1c703ab559390310e21cab7625b8b947?hp=a084161200e7edcdb818651e8b23a0757507579e

Narrow sudoers to runAs=root
---

diff --git a/modules/auto-upgrade.nix b/modules/auto-upgrade.nix
index c52f0bc..7d2404c 100644
--- a/modules/auto-upgrade.nix
+++ b/modules/auto-upgrade.nix
@@ -281,6 +281,7 @@ in
     security.sudo.extraRules = lib.mkAfter [
       {
         groups = [ "users" ];
+        runAs = "root";
         commands = [
           {
             command = "${auto-upgrade-script}";