Comments (6)
Duplicate of #17905, WONTFIX sorry.
from brew.
Thanks for continuing the conversation.
brew
should restore sudo access for ensuing processes, even if it blocks it for itself.@bhavanki If you can provide details (ideally a pull request) for how this is technically possible: we'd love that. We haven't been able to figure out how to do this yet.
Yeah, I doubt access can be restored (especially if you all haven't discovered how to). With some further experimenting, I did find a workaround for leaving access in place. It works because sudo
caches credentials by user and by TTY, so if the brew
command runs in its own TTY, it can freely do away with any inherited access (in fact, I think it never gets it).
This Stack Overflow answer proposes using the script
command for this purpose, and it seems to work. I created this shell function to call instead of brew
in my own script.
brew() {
script -q /dev/null "$(command -v brew)" "$@" | sed 's/\r//g'
}
(This is for macOS. Also, the script
command seems to emit rogue carriage return characters, hence the sed
usage.)
I don't imagine that this exact mechanism could work in brew
, but maybe something else adjusting the TTY might. Anyway, hopefully this will solve the problem within my own script.
And, just for completeness: Ansible lets you supply a "become" password which is equivalent to prompting for sudo. It's an extra prompt for the user, but lets Ansible run steps requiring sudo without requiring it to be established ahead of time. It's probably the "right" way anyway.
- The problem is in formula privilege escalation, but the removal of sudo occurs for any execution of
brew
.Almost all executions of Homebrew (not just installs) may require reading potentially untrusted Ruby code. It's hard to scope this much more tightly than it is currently, unfortunately.
Ah, understood, that's too bad!
from brew.
Thanks @bhavanki!
from brew.
This recent PR introduced the new behavior. #17694
from brew.
I understand the reason for the change. However, IMO this new behavior is an overreach.
- The problem is in formula privilege escalation, but the removal of sudo occurs for any execution of
brew
. The scope of the fix is too broad. (Reducing the scope wouldn't fully fix this problem, to be fair.) - An executable should not alter its calling environment as a side effect.
brew
should restore sudo access for ensuing processes, even if it blocks it for itself.
from brew.
brew
should restore sudo access for ensuing processes, even if it blocks it for itself.
@bhavanki If you can provide details (ideally a pull request) for how this is technically possible: we'd love that. We haven't been able to figure out how to do this yet.
- The problem is in formula privilege escalation, but the removal of sudo occurs for any execution of
brew
.
Almost all executions of Homebrew (not just installs) may require reading potentially untrusted Ruby code. It's hard to scope this much more tightly than it is currently, unfortunately.
from brew.
Related Issues (20)
- Homebrew cleanup message appearing after every command HOT 4
- Forbidden Casks Error Message HOT 2
- `brew install --quiet` does not suppress warnings for casks HOT 1
- `brew upgrade` fails to upgrade packages on macOS
- "undefined method `chomp' for nil" When brew update HOT 4
- "brew upgrade" fails with "Error: Version must not be empty" HOT 1
- brew breaks sudo password cache HOT 1
- Upgrading one package (mise) broke two other packages (eza, bat) HOT 9
- Issue installing openJDK HOT 1
- `sudo` not working anymore after running any `brew` command HOT 1
- IRB no longer has irb_at_exit method HOT 2
- Failed to install Homebrew Portable Ruby (and your system version is too old)! HOT 4
- Improve error/warning when `brew install` refuses to install a formula from a tap with the same name as an already installed keg HOT 7
- shellenv.sh: csh/tcsh: Broken code for setting envvar MANPATH HOT 1
- Make `autoremove` idempotent HOT 8
- Run xattr -r -d com.apple.quarantine App.app on casks on Apple Silicon MacOS HOT 20
- Homebrew's brew alias is broken after update this morning on Debian machines HOT 2
- Are all of the `undef`s we use really necessary? HOT 10
- HOMEBREW_PIP_INDEX_URL is misleading and does not work-as-intended with some mirrors
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from brew.