Skip to content

brew.sh: enforce HOMEBREW_FORCE_BREW_WRAPPER more strictly #20400

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 10 commits into from
Aug 18, 2025
Merged

brew.sh: enforce HOMEBREW_FORCE_BREW_WRAPPER more strictly #20400

merged 10 commits into from
Aug 18, 2025

Conversation

carlocab
Copy link
Member

@carlocab carlocab commented Aug 8, 2025

  • Have you followed the guidelines in our Contributing document?
  • Have you checked to ensure there aren't other open Pull Requests for the same change?
  • Have you added an explanation of what your changes do and why you'd like us to include them?
  • Have you written new tests for your changes? Here's an example.
  • Have you successfully run brew style with your changes locally?
  • Have you successfully run brew typecheck with your changes locally?
  • Have you successfully run brew tests with your changes locally?

HOMEBREW_FORCE_BREW_WRAPPER can be used as a security/compliance
feature, but allowing it to be disabled by setting
HOMEBREW_NO_FORCE_BREW_WRAPPER leaves a pretty large hole in it that
allows it to be sidestepped.

Let's fix that by actually checking the path of the process that called
brew, and the verify that that path matches the configured value of
HOMEBREW_NO_FORCE_BREW_WRAPPER.

@carlocab
brew.sh: enforce HOMEBREW_FORCE_BREW_WRAPPER more strictly
a7c124c 
`HOMEBREW_FORCE_BREW_WRAPPER` can be used as a security/compliance
feature, but allowing it to be disabled by setting
`HOMEBREW_NO_FORCE_BREW_WRAPPER` leaves a pretty large hole in it that
allows it to be sidestepped.

Let's fix that by actually checking the path of the process that called
`brew`, and the verify that that path matches the configured value of
`HOMEBREW_NO_FORCE_BREW_WRAPPER`.
@carlocab carlocab requested a review from Bo98 August 8, 2025 19:23
@carlocab carlocab self-assigned this Aug 8, 2025
MikeMcQuaid
MikeMcQuaid reviewed Aug 11, 2025
View reviewed changes
Copy link
Member

@MikeMcQuaid MikeMcQuaid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @carlocab! A bunch of comments, sorry!

carlocab and others added 3 commits August 13, 2025 13:55
@carlocab @MikeMcQuaid
Apply review suggestions for pid_path.rb
e8828c1 
Co-authored-by: MikeMcQuaid <[email protected]>
@carlocab
Restore HOMEBREW_BREW_WRAPPER and HOMEBREW_FORCE_BREW_WRAPPER
144c7f6 
These need to go through a deprecation cycle, so let's just add comments
preparing it for that.
@carlocab
Restore handling of HOMEBREW_BREW_WRAPPER
b7d8072 
This now requires `HOMEBREW_DISABLE_NO_FORCE_BREW_WRAPPER` to be unset.
If it is set (but only in a `brew.env` file), then we use the new
functionality of checking the path of the parent process.
MikeMcQuaid
MikeMcQuaid reviewed Aug 13, 2025
View reviewed changes
MikeMcQuaid
MikeMcQuaid reviewed Aug 13, 2025
View reviewed changes
Copy link
Member

@MikeMcQuaid MikeMcQuaid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, almost there!

@carlocab carlocab force-pushed the stricter-brew-wrappers branch from 7634d1d to ead3af9 Compare August 16, 2025 01:32
MikeMcQuaid
MikeMcQuaid approved these changes Aug 18, 2025
View reviewed changes
@carlocab carlocab enabled auto-merge August 18, 2025 10:47
@carlocab carlocab added this pull request to the merge queue Aug 18, 2025
Merged via the queue into main with commit 18a7740 Aug 18, 2025
44 checks passed
@carlocab carlocab deleted the stricter-brew-wrappers branch August 18, 2025 11:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MikeMcQuaid MikeMcQuaid MikeMcQuaid approved these changes

@Bo98 Bo98 Awaiting requested review from Bo98

Assignees

@carlocab carlocab

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@carlocab @MikeMcQuaid