2

I like to be able to run some commands installed via Homebrew without typing my sudo password. The problem is that Homebrew installs everything with user permissions, so if I add the executables to sudo's NOPASSWD list (via user ALL = (ALL) NOPASSWD: ...), these files can be replaced and so any arbitrary program can run as sudo. chowning the executables would also be problematic, as it will break Homebrew's update mechanism. Homebrew can't be installed on the root account either. What should I do?

HappyFace
  • 121
  • 3

1 Answers1

-2

So, either you find a mechanism to find all the executables that you want to be able to run as root, or allow your user to run everything as root:

user ALL=(ALL) NOPASSWD: ALL

Run this from cron and use the output to update a file in /etc/sudoers.d.

If you want to be sure that a program is not updated by the user, install using a separate homebrew user. In that way, your user is not able to change the programs (only the user homebrew can update the programs and all programs are owned by him).

Ljm Dullaart
  • 1,897
  • 4
  • 11
  • The problem is that brew's executables are user writable, so giving any single one of them NOPASSWD will effectively give away the sudo privilege to all user applications. – HappyFace Aug 23 '20 at 15:38
  • I don't get it. You state "I like to be able to run some commands installed via Homebrew without typing my sudo password." Then you say it is a problem, because you give away root-permissions to users? Is it a shared computer? If so: give only yourself the NOPASSWD. Note that homebrew-applications in general do not use sudo to elevate their privileges, so as long as you run them as normal user, those usr applications do not just get root rights. – Ljm Dullaart Aug 24 '20 at 07:26
  • You see, there is some program X that I have installed via Homebrew that needs sudo to run. I want to run this without typing my password. But I do not want to give any arbitrary program on my computer the ability to get root without I typing my password. Using NOPASSWD on a user-writable binary will enable any arbitrary process to get root without I knowing. – HappyFace Aug 24 '20 at 12:28
  • Ah! now I understand. Sorry for my slowness. Create a separate `homebrew` user then seems to be the solution. – Ljm Dullaart Aug 24 '20 at 14:27