Skip to content

feat: Prevent loading Homebrew env if user is root.#914

Merged
RoyalOughtness merged 3 commits intosecureblue:livefrom
HastD:no-brew-root
Mar 10, 2025
Merged

feat: Prevent loading Homebrew env if user is root.#914
RoyalOughtness merged 3 commits intosecureblue:livefrom
HastD:no-brew-root

Conversation

@HastD
Copy link
Copy Markdown
Collaborator

@HastD HastD commented Mar 10, 2025

This patches /etc/profile.d/brew.sh and /etc/profile.d/brew-bash-completions.sh to skip loading the Homebrew shell environment if the user is root. This addresses part of #628 (the part about these two scripts sourcing non-locked-down files, not the part about auditing /etc/profile).

@HastD HastD requested a review from RoyalOughtness as a code owner March 10, 2025 00:28
@HastD
Copy link
Copy Markdown
Collaborator Author

HastD commented Mar 10, 2025

Looks like blue-build just decided to incorporate this patch: blue-build/modules@e66445d
So is this still necessary?

RoyalOughtness
RoyalOughtness previously approved these changes Mar 10, 2025
View reviewed changes
@RoyalOughtness
Copy link
Copy Markdown
Collaborator

RoyalOughtness commented Mar 10, 2025

Looks like blue-build just decided to incorporate this patch: blue-build/modules@e66445d So is this still necessary?

oh, even better! We can close this then

@HastD
Copy link
Copy Markdown
Collaborator Author

HastD commented Mar 10, 2025

Wait, something doesn't look quite right... is /etc/profile.d/brew.sh duplicated between the blue-build module and secureblue? So I think either secureblue's copy of brew.sh needs to be updated to match, or just delete it and the brew module from blue-build will recreate it with the "no root" changes anyway?

@RoyalOughtness
Copy link
Copy Markdown
Collaborator

RoyalOughtness commented Mar 10, 2025

Wait, something doesn't look quite right... is /etc/profile.d/brew.sh duplicated between the blue-build module and secureblue? So I think either secureblue's copy of brew.sh needs to be updated to match, or just delete it and the brew module from blue-build will recreate it with the "no root" changes anyway?

you're right... we need to remove ours

@HastD
Copy link
Copy Markdown
Collaborator Author

HastD commented Mar 10, 2025

I'll change this PR to do it, one sec.

@RoyalOughtness RoyalOughtness mentioned this pull request Mar 10, 2025
Closed
1 task
@RoyalOughtness RoyalOughtness merged commit b6bdf6f into secureblue:live Mar 10, 2025
7 checks passed
@HastD HastD deleted the no-brew-root branch March 10, 2025 19:01
RoyalOughtness pushed a commit to RoyalOughtness/secureblue-dev that referenced this pull request Aug 4, 2025
@HastD @RoyalOughtness
feat: Prevent loading Homebrew env if user is root. (secureblue#914)
f99e2ed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@RoyalOughtness RoyalOughtness RoyalOughtness approved these changes

@RKNF404 RKNF404 RKNF404 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@HastD @RoyalOughtness @RKNF404