fix: 修复 sudo 在非交互模式下无法执行的问题

问题原因：
- sudo 命令没有 -n 选项
- 在后台服务中，sudo 会尝试从终端读取密码
- 由于没有终端，命令静默失败

修复内容：
- 添加 sudo -n 选项强制非交互模式
- 如果需要密码会立即失败并返回错误，而不是挂起

.gitignore

@@ -91,4 +91,5 @@ backend/data/
 # ===================
 tests
 CLAUDE.md
-.claude
+.claude
+scripts

backend/internal/pkg/sysutil/restart.go

@@ -32,7 +32,8 @@ func RestartService() error {
 
 	// The sub2api user has NOPASSWD sudo access for systemctl commands
 	// (configured by install.sh in /etc/sudoers.d/sub2api).
-	cmd := exec.Command("sudo", "systemctl", "restart", serviceName)
+	// Use -n (non-interactive) to prevent sudo from waiting for password input
+	cmd := exec.Command("sudo", "-n", "systemctl", "restart", serviceName)
 	if err := cmd.Start(); err != nil {
 		return fmt.Errorf("failed to initiate service restart: %w", err)
 	}

backend/internal/service/gateway_service.go

@@ -35,25 +35,25 @@ const (
 
 // allowedHeaders 白名单headers（参考CRS项目）
 var allowedHeaders = map[string]bool{
-	"accept":                                  true,
-	"x-stainless-retry-count":                 true,
-	"x-stainless-timeout":                     true,
-	"x-stainless-lang":                        true,
-	"x-stainless-package-version":             true,
-	"x-stainless-os":                          true,
-	"x-stainless-arch":                        true,
-	"x-stainless-runtime":                     true,
-	"x-stainless-runtime-version":             true,
-	"x-stainless-helper-method":               true,
+	"accept":                                    true,
+	"x-stainless-retry-count":                   true,
+	"x-stainless-timeout":                       true,
+	"x-stainless-lang":                          true,
+	"x-stainless-package-version":               true,
+	"x-stainless-os":                            true,
+	"x-stainless-arch":                          true,
+	"x-stainless-runtime":                       true,
+	"x-stainless-runtime-version":               true,
+	"x-stainless-helper-method":                 true,
 	"anthropic-dangerous-direct-browser-access": true,
-	"anthropic-version":                       true,
-	"x-app":                                   true,
-	"anthropic-beta":                          true,
-	"accept-language":                         true,
-	"sec-fetch-mode":                          true,
-	"accept-encoding":                         true,
-	"user-agent":                              true,
-	"content-type":                            true,
+	"anthropic-version":                         true,
+	"x-app":                                     true,
+	"anthropic-beta":                            true,
+	"accept-language":                           true,
+	"sec-fetch-mode":                            true,
+	"accept-encoding":                           true,
+	"user-agent":                                true,
+	"content-type":                              true,
 }
 
 // ClaudeUsage 表示Claude API返回的usage信息
@@ -418,13 +418,19 @@ func (s *GatewayService) Forward(ctx context.Context, c *gin.Context, account *m
 	}
 
 	// 构建上游请求
-	upstreamReq, err := s.buildUpstreamRequest(ctx, c, account, body, token, tokenType)
+	upstreamResult, err := s.buildUpstreamRequest(ctx, c, account, body, token, tokenType)
 	if err != nil {
 		return nil, err
 	}
 
+	// 选择使用的client：如果有代理则使用独立的client，否则使用共享的httpClient
+	httpClient := s.httpClient
+	if upstreamResult.Client != nil {
+		httpClient = upstreamResult.Client
+	}
+
 	// 发送请求
-	resp, err := s.httpClient.Do(upstreamReq)
+	resp, err := httpClient.Do(upstreamResult.Request)
 	if err != nil {
 		return nil, fmt.Errorf("upstream request failed: %w", err)
 	}
@@ -437,11 +443,16 @@ func (s *GatewayService) Forward(ctx context.Context, c *gin.Context, account *m
 		if err != nil {
 			return nil, fmt.Errorf("token refresh failed: %w", err)
 		}
-		upstreamReq, err = s.buildUpstreamRequest(ctx, c, account, body, token, tokenType)
+		upstreamResult, err = s.buildUpstreamRequest(ctx, c, account, body, token, tokenType)
 		if err != nil {
 			return nil, err
 		}
-		resp, err = s.httpClient.Do(upstreamReq)
+		// 重试时也需要使用正确的client
+		httpClient = s.httpClient
+		if upstreamResult.Client != nil {
+			httpClient = upstreamResult.Client
+		}
+		resp, err = httpClient.Do(upstreamResult.Request)
 		if err != nil {
 			return nil, fmt.Errorf("retry request failed: %w", err)
 		}
@@ -480,7 +491,13 @@ func (s *GatewayService) Forward(ctx context.Context, c *gin.Context, account *m
 	}, nil
 }
 
-func (s *GatewayService) buildUpstreamRequest(ctx context.Context, c *gin.Context, account *model.Account, body []byte, token, tokenType string) (*http.Request, error) {
+// buildUpstreamRequestResult contains the request and optional custom client for proxy
+type buildUpstreamRequestResult struct {
+	Request *http.Request
+	Client  *http.Client // nil means use default s.httpClient
+}
+
+func (s *GatewayService) buildUpstreamRequest(ctx context.Context, c *gin.Context, account *model.Account, body []byte, token, tokenType string) (*buildUpstreamRequestResult, error) {
 	// 确定目标URL
 	targetURL := claudeAPIURL
 	if account.Type == model.AccountTypeApiKey {
@@ -549,7 +566,8 @@ func (s *GatewayService) buildUpstreamRequest(ctx context.Context, c *gin.Contex
 		req.Header.Set("anthropic-beta", s.getBetaHeader(body, c.GetHeader("anthropic-beta")))
 	}
 
-	// 配置代理
+	// 配置代理 - 创建独立的client避免并发修改共享httpClient
+	var customClient *http.Client
 	if account.ProxyID != nil && account.Proxy != nil {
 		proxyURL := account.Proxy.URL()
 		if proxyURL != "" {
@@ -566,12 +584,18 @@ func (s *GatewayService) buildUpstreamRequest(ctx context.Context, c *gin.Contex
 					IdleConnTimeout:       90 * time.Second,
 					ResponseHeaderTimeout: responseHeaderTimeout,
 				}
-				s.httpClient.Transport = transport
+				// 创建独立的client，避免并发时修改共享的s.httpClient.Transport
+				customClient = &http.Client{
+					Transport: transport,
+				}
 			}
 		}
 	}
 
-	return req, nil
+	return &buildUpstreamRequestResult{
+		Request: req,
+		Client:  customClient,
+	}, nil
 }
 
 // getBetaHeader 处理anthropic-beta header

deploy/install.sh

@@ -483,9 +483,24 @@ download_and_extract() {
 create_user() {
     if id "$SERVICE_USER" &>/dev/null; then
         print_info "$(msg 'user_exists'): $SERVICE_USER"
+        # Fix: Ensure existing user has /bin/sh shell for sudo to work
+        # Previous versions used /bin/false which prevents sudo execution
+        local current_shell
+        current_shell=$(getent passwd "$SERVICE_USER" 2>/dev/null | cut -d: -f7)
+        if [ "$current_shell" = "/bin/false" ] || [ "$current_shell" = "/sbin/nologin" ]; then
+            print_info "Fixing user shell for sudo compatibility..."
+            if usermod -s /bin/sh "$SERVICE_USER" 2>/dev/null; then
+                print_success "User shell updated to /bin/sh"
+            else
+                print_warning "Failed to update user shell. Service restart may not work automatically."
+                print_warning "Manual fix: sudo usermod -s /bin/sh $SERVICE_USER"
+            fi
+        fi
     else
         print_info "$(msg 'creating_user') $SERVICE_USER..."
-        useradd -r -s /bin/false -d "$INSTALL_DIR" "$SERVICE_USER"
+        # Use /bin/sh instead of /bin/false to allow sudo execution
+        # The user still cannot login interactively (no password set)
+        useradd -r -s /bin/sh -d "$INSTALL_DIR" "$SERVICE_USER"
         print_success "$(msg 'user_created')"
     fi
 }
@@ -510,18 +525,18 @@ setup_directories() {
 setup_sudoers() {
     print_info "$(msg 'setting_up_sudoers')"
 
-    # Check if sudoers file exists in install dir
-    if [ -f "$INSTALL_DIR/sub2api-sudoers" ]; then
-        cp "$INSTALL_DIR/sub2api-sudoers" /etc/sudoers.d/sub2api
-    else
-        # Create sudoers file
-        cat > /etc/sudoers.d/sub2api << 'EOF'
+    # Always generate sudoers file from script (not from tar.gz)
+    # This ensures the latest configuration is used even with older releases
+    # Support both /bin/systemctl and /usr/bin/systemctl for different distros
+    cat > /etc/sudoers.d/sub2api << 'EOF'
 # Sudoers configuration for Sub2API
 sub2api ALL=(ALL) NOPASSWD: /bin/systemctl restart sub2api
 sub2api ALL=(ALL) NOPASSWD: /bin/systemctl stop sub2api
 sub2api ALL=(ALL) NOPASSWD: /bin/systemctl start sub2api
+sub2api ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart sub2api
+sub2api ALL=(ALL) NOPASSWD: /usr/bin/systemctl stop sub2api
+sub2api ALL=(ALL) NOPASSWD: /usr/bin/systemctl start sub2api
 EOF
-    fi
 
     # Set correct permissions (required for sudoers files)
     chmod 440 /etc/sudoers.d/sub2api

deploy/sub2api-sudoers

@@ -8,6 +8,10 @@
 # SECURITY NOTE: This grants limited sudo access only for service management
 
 # Allow sub2api user to restart the service without password
+# Support both /bin/systemctl (Debian/Ubuntu) and /usr/bin/systemctl (RHEL/CentOS)
 sub2api ALL=(ALL) NOPASSWD: /bin/systemctl restart sub2api
 sub2api ALL=(ALL) NOPASSWD: /bin/systemctl stop sub2api
 sub2api ALL=(ALL) NOPASSWD: /bin/systemctl start sub2api
+sub2api ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart sub2api
+sub2api ALL=(ALL) NOPASSWD: /usr/bin/systemctl stop sub2api
+sub2api ALL=(ALL) NOPASSWD: /usr/bin/systemctl start sub2api