From 7c5affa824b7a4444f03f84d0c597818e0f7d3b5 Mon Sep 17 00:00:00 2001 From: Mike McQuaid Date: Mon, 2 Jun 2025 15:09:27 +0100 Subject: [PATCH] brew.sh: move sudo reset timestamp. Let's move this from `bin/brew` to make things like e.g. `brew --prefix` or `brew shellenv` not reset the sudo timestamp. This is still in a place that ensures that e.g. no untrusted formula or tap code has been run yet so should have no security implications but provide mild usability improvements. --- Library/Homebrew/brew.sh | 16 ++++++++++++++++ bin/brew | 16 ---------------- 2 files changed, 16 insertions(+), 16 deletions(-) diff --git a/Library/Homebrew/brew.sh b/Library/Homebrew/brew.sh index beaaa1a3a8..38a4058b34 100644 --- a/Library/Homebrew/brew.sh +++ b/Library/Homebrew/brew.sh @@ -1078,6 +1078,22 @@ else export HOMEBREW_GITHUB_PACKAGES_AUTH="Bearer QQ==" fi +# Avoid picking up any random `sudo` in `PATH`. +if [[ -x /usr/bin/sudo ]] +then + SUDO=/usr/bin/sudo +else + # Do this after ensuring we're using default Bash builtins. + SUDO="$(command -v sudo 2>/dev/null)" +fi + +# Reset sudo timestamp to avoid running unauthorized sudo commands +if [[ -n "${SUDO}" ]] +then + "${SUDO}" --reset-timestamp 2>/dev/null || true +fi +unset SUDO + if [[ -n "${HOMEBREW_BASH_COMMAND}" ]] then # source rather than executing directly to ensure the entire file is read into diff --git a/bin/brew b/bin/brew index 3ccf7f68a2..f0b0e5adc3 100755 --- a/bin/brew +++ b/bin/brew @@ -57,22 +57,6 @@ do done unset cmd -# Avoid picking up any random `sudo` in `PATH`. -if [[ -x /usr/bin/sudo ]] -then - SUDO=/usr/bin/sudo -else - # Do this after ensuring we're using default Bash builtins. - SUDO="$(command -v sudo 2>/dev/null)" -fi - -# Reset sudo timestamp to avoid running unauthorized sudo commands -if [[ -n "${SUDO}" ]] -then - "${SUDO}" --reset-timestamp 2>/dev/null || true -fi -unset SUDO - # Take the HOMEBREW_PATH if we are running brew within brew, otherwise we would lose the original path. if [[ -n "${HOMEBREW_BREW_FILE:-}" && -n "${HOMEBREW_PATH:-}" ]] then