Support bash in privileged mode

Bo98 · Bo98 · commit d7dcf79ef3a5 · 2024-03-25T15:26:09.000Z
diff --git a/Library/Homebrew/brew.sh b/Library/Homebrew/brew.sh
@@ -216,7 +216,7 @@ numeric() {
 }
 
 check-run-command-as-root() {
-  [[ "$(id -u)" == 0 ]] || return
+  [[ "$(id -u)" == 0 || "$(id -ur)" == 0 ]] || return
 
   # Allow Azure Pipelines/GitHub Actions/Docker/Concourse/Kubernetes to do everything as root (as it's normal there)
   [[ -f /.dockerenv ]] && return
diff --git a/Library/Homebrew/global.rb b/Library/Homebrew/global.rb
@@ -106,8 +106,8 @@ def auditing?
     end
 
     def running_as_root?
-      @process_uid ||= Process.uid
-      @process_uid.zero?
+      @process_euid ||= Process.euid
+      @process_euid.zero?
     end
 
     def owner_uid
diff --git a/Library/Homebrew/shims/shared/curl b/Library/Homebrew/shims/shared/curl
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/bash -p
 
 # Make our $HOMEBREW_CURL selection universal - including in formulae usage.
 
diff --git a/Library/Homebrew/shims/shared/git b/Library/Homebrew/shims/shared/git
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/bash -p
 
 # This script because we support $HOMEBREW_GIT, $HOMEBREW_SVN, etc., Xcode-only and
 # no Xcode/CLT configurations. Order is careful to be what the user would want.
diff --git a/Library/Homebrew/utils/fork.rb b/Library/Homebrew/utils/fork.rb
@@ -42,6 +42,9 @@ def self.safe_fork
           server.close
           read.close
           write.fcntl(Fcntl::F_SETFD, Fcntl::FD_CLOEXEC)
+
+          Process::UID.change_privilege(Process.euid) if Process.euid != Process.uid
+
           yield
         rescue Exception => e # rubocop:disable Lint/RescueException
           error_hash = JSON.parse e.to_json
diff --git a/Library/Homebrew/utils/lock.sh b/Library/Homebrew/utils/lock.sh
@@ -44,12 +44,17 @@ _create_lock() {
   [[ -x "${ruby}" ]] || ruby="$(type -P ruby)"
   [[ -x "${python}" ]] || python="$(type -P python)"
 
-  if [[ -x "${ruby}" ]] && "${ruby}" -e "exit(RUBY_VERSION >= '1.8.7')"
+  # Use a bash subprocess to reset setuid, which Ruby can error if != euid.
+  if [[ -x "${ruby}" ]] && /bin/bash -c "\"${ruby}\" -e \"exit(RUBY_VERSION >= '1.8.7')\""
   then
-    "${ruby}" -e "File.new(${lock_fd}).flock(File::LOCK_EX | File::LOCK_NB) || exit(1)"
+    /bin/bash <<-SCRIPT
+      "${ruby}" -e "File.new(${lock_fd}).flock(File::LOCK_EX | File::LOCK_NB) || exit(1)"
+SCRIPT
   elif [[ -x "${python}" ]]
   then
-    "${python}" -c "import fcntl; fcntl.flock(${lock_fd}, fcntl.LOCK_EX | fcntl.LOCK_NB)"
+    /bin/bash <<-SCRIPT
+      "${python}" -c "import fcntl; fcntl.flock(${lock_fd}, fcntl.LOCK_EX | fcntl.LOCK_NB)"
+SCRIPT
   elif [[ -x "$(type -P flock)" ]]
   then
     flock -n "${lock_fd}"
diff --git a/bin/brew b/bin/brew
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/bash -p
 set -u
 
 # Fail fast with concise message when not using bash
@@ -245,4 +245,4 @@ then
 fi
 unset VAR ENV_VAR_NAMES
 
-exec /usr/bin/env -i "${FILTERED_ENV[@]}" /bin/bash "${HOMEBREW_LIBRARY}/Homebrew/brew.sh" "$@"
+exec /usr/bin/env -i "${FILTERED_ENV[@]}" /bin/bash -p "${HOMEBREW_LIBRARY}/Homebrew/brew.sh" "$@"

Original file line number	Diff line number	Diff line change
`@@ -216,7 +216,7 @@ numeric() {`
`216`	`216`	`}`
`217`	`217`
`218`	`218`	`check-run-command-as-root() {`
`219`		`- [[ "$(id -u)" == 0 ]] \|\| return`
	`219`	`+ [[ "$(id -u)" == 0 \|\| "$(id -ur)" == 0 ]] \|\| return`
`220`	`220`
`221`	`221`	`# Allow Azure Pipelines/GitHub Actions/Docker/Concourse/Kubernetes to do everything as root (as it's normal there)`
`222`	`222`	`[[ -f /.dockerenv ]] && return`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-#!/bin/bash`
	`1`	`+#!/bin/bash -p`
`2`	`2`
`3`	`3`	`# Make our $HOMEBREW_CURL selection universal - including in formulae usage.`
`4`	`4`