I have done the following
Steps to reproduce
$ container machine create local/debian-unstable:latest --name dev
dev
$ container machine run --name dev -- id
uid=502(user.name) gid=20(dialout) groups=20(dialout)
$ container machine run --name dev -- sudo apt-get update
sudo: a terminal is required to read the password; either use the -S option to read from standard input or configure an askpass helper
sudo: a password is required
Workaround:
$ container machine run --name dev --root -- mv /etc/sudoers.d/user.name /etc/sudoers.d/user-name
$ container machine run --name dev -- sudo apt-get update
Get:1 http://deb.debian.org/debian unstable InRelease [189 kB]
Get:2 http://deb.debian.org/debian unstable/main arm64 Packages [10.4 MB]
Fetched 10.6 MB in 2s (5022 kB/s)
Reading package lists...
Problem description
sudo's #includedir/@includedir processing silently ignores any file in /etc/sudoers.d whose name contains a . or ends in ~ [0]. When the macOS username contains a dot (e.g. user.name), the drop-in is named /etc/sudoers.d/user.name, so sudo never reads it. The NOPASSWD rule is silently dropped and the user cannot sudo even though the file exists with the correct content and mode, sudo is installed, and
/etc/passwd maps the UID to the right name. Everything looks correctly configured, which makes it hard to diagnose.
The fix would be to sanitize the filename (not the rule). Usernames containing . are perfectly valid inside a sudoers rule, so only the drop-in filename needs adjusting.
[0] https://man7.org/linux/man-pages/man5/sudoers.5.html
The rule exists to skip package-manager and editor backup files.
Environment
- OS: 25.5.0 Darwin Kernel Version 25.5.0: Mon Apr 27 20:38:00 PDT 2026; root:xnu-12377.121.6~2/RELEASE_ARM64_T8103 arm64
- Xcode: N/A
- Container: container CLI version 1.0.0 (build: release, commit: unspeci)
Code of Conduct
I have done the following
Steps to reproduce
Workaround:
Problem description
sudo's
#includedir/@includedirprocessing silently ignores any file in/etc/sudoers.dwhose name contains a.or ends in~[0]. When the macOS username contains a dot (e.g.user.name), the drop-in is named/etc/sudoers.d/user.name, so sudo never reads it. The NOPASSWD rule is silently dropped and the user cannot sudo even though the file exists with the correct content and mode, sudo is installed, and/etc/passwdmaps the UID to the right name. Everything looks correctly configured, which makes it hard to diagnose.The fix would be to sanitize the filename (not the rule). Usernames containing
.are perfectly valid inside a sudoers rule, so only the drop-in filename needs adjusting.[0] https://man7.org/linux/man-pages/man5/sudoers.5.html
The rule exists to skip package-manager and editor backup files.
Environment
Code of Conduct