Fix root-as-dropped-euid exec env and restore Binary.load_or_install

claude · claude · commit c680d9019663 · 2026-04-21T07:34:23.000Z
- Binary.load_or_install: restore the "try load(), fall back to install()"
  helper that abx-plugins hooks rely on after it got inadvertently dropped.
- BinProvider.exec: when running as root and dropping privileges to a
  non-root target UID, use sudo_env (target user's HOME/LOGNAME/USER)
  instead of fallback_env so the dropped subprocess finds its own cache/
  config dirs (fixes brew "Permission denied ~/.cache/Homebrew" under root).
- BrewProvider._refresh_bin_link: when running as root but about to drop
  to brew's owner UID, chmod the managed shim dir's ancestors to be
  traversable by that UID so version probes from the dropped-privilege
  subprocess can reach the symlink.
- README: fix cargo_root alias typo in the CargoProvider section.
diff --git a/README.md b/README.md
@@ -952,7 +952,7 @@ PATH = ""                            # prepends cargo_root/bin and cargo_home/bi
 cargo_root = None                    # set this for hermetic installs
 ```
 
-- Install root: set `install_root=Path(...)` or `install_root=Path(...)` for isolated installs under `<cargo_root>/bin`; otherwise installs go through `cargo_home`.
+- Install root: set `install_root=Path(...)` or `cargo_root=Path(...)` for isolated installs under `<cargo_root>/bin`; otherwise installs go through `cargo_home`.
 - Auto-switching: none.
 - `dry_run`: shared behavior.
 - Security: `min_release_age` and `postinstall_scripts=False` are unsupported and are ignored with a warning if explicitly requested.
diff --git a/abxpkg/binary.py b/abxpkg/binary.py
@@ -451,6 +451,39 @@ def load(
         )
         raise BinaryLoadError(self.name, provider_names, errors) from inner_exc
 
+    @validate_call
+    @log_method_call(include_result=True)
+    def load_or_install(
+        self,
+        binproviders: list[BinProviderName] | None = None,
+        no_cache: bool = False,
+        dry_run: bool | None = None,
+        postinstall_scripts: bool | None = None,
+        min_release_age: float | None = None,
+        **extra_overrides,
+    ) -> Self:
+        """Try ``load()`` first; fall back to ``install()`` if no provider
+        resolves the binary. Returns the loaded/installed copy of ``self``.
+        """
+        try:
+            loaded = self.load(
+                binproviders=binproviders,
+                no_cache=no_cache,
+                **extra_overrides,
+            )
+        except BinaryLoadError:
+            loaded = self
+        if loaded.is_valid and not no_cache:
+            return loaded
+        return self.install(
+            binproviders=binproviders,
+            no_cache=no_cache,
+            dry_run=dry_run,
+            postinstall_scripts=postinstall_scripts,
+            min_release_age=min_release_age,
+            **extra_overrides,
+        )
+
     @validate_call
     @log_method_call(include_result=True)
     def update(
diff --git a/abxpkg/binprovider.py b/abxpkg/binprovider.py
@@ -1732,10 +1732,18 @@ def drop_privileges():
                     sudo_proc.stderr,
                 )
 
+        # When running as root but dropping to a non-root user (e.g. brew),
+        # use the target user's HOME/LOGNAME/USER env so the dropped-privilege
+        # subprocess finds its own cache/config dirs instead of root's.
+        dropped_env = (
+            sudo_env
+            if current_euid == 0 and run_as_uid != current_euid
+            else fallback_env
+        )
         proc = subprocess.run(
             cmd,
             cwd=str(cwd_path),
-            env=fallback_env,
+            env=dropped_env,
             preexec_fn=drop_privileges,
             **kwargs,
         )
diff --git a/abxpkg/binprovider_brew.py b/abxpkg/binprovider_brew.py
@@ -163,6 +163,26 @@ def _refresh_bin_link(
         link_path = self._linked_bin_path(bin_name)
         assert link_path is not None, "_refresh_bin_link requires bin_dir to be set"
         link_path.parent.mkdir(parents=True, exist_ok=True)
+        # When running as root but brew itself drops to its owner uid via
+        # ``self.exec``, we also need the managed shim dir (and its parents)
+        # traversable by that target uid so version probes / load() calls from
+        # the dropped-privilege subprocess can reach the symlink.
+        current_euid = os.geteuid()
+        target_uid = self.EUID
+        if current_euid == 0 and target_uid not in (0, current_euid):
+            try:
+                pw_record = self.get_pw_record(target_uid)
+                os.chown(link_path.parent, target_uid, pw_record.pw_gid)
+            except Exception:
+                pass
+            walk_path = link_path.parent
+            while walk_path != walk_path.parent:
+                try:
+                    mode = walk_path.stat().st_mode
+                    walk_path.chmod(mode | 0o055)
+                except Exception:
+                    break
+                walk_path = walk_path.parent
         if link_path.exists() or link_path.is_symlink():
             link_path.unlink(missing_ok=True)
         link_path.symlink_to(target)
