Installing Homebrew in a sandbox

[Andrew-Au]

Output of brew config

N/A

Output of brew doctor

N/A

Description of issue

Platform: MacOS

From the FAQ:

If you need to run Homebrew in a multi-user environment, consider creating a separate user account specifically for use of Homebrew

Observations:

1. this has value in a single user environment also, as it prevents unmanaged write access to homebrew files (or to non-homebrew files while running brew)
2. the homebrew docs don't tell me how to do it

Goal: install homebrew in a sandbox such that any homebrew files can only be updated by a specific "homebrew" account.

What I did:

• create "homebrew" account (using standard account creation)
• hide account ( sudo dscl . create /Users/hiddenuser IsHidden 1 )
• temporarily grant homebrew account sudo permissions for mkdir, chmod, chown, chgrp & install
• install homebrew [see notes below]
• revoke sudo permissions
• configure homebrew paths for homebrew account; configure PATH, MANPATH, INFOPATH for user account
• check read permissions on homebrew account

This mostly works. The primary goal is met: homebrew can be updated by going sudo -u homebrew -I and then doing whatever I need to, but otherwise is read only. Also, homebrew can't write to my files, and I can't write to homebrew's files.

Remaining issues:

1. I'd really like to disable regular login for the homebrew user. However, I don't want to disable the shell, and whenever I search for "prevent user login with password" I get lots of results telling me how to allow logging in without a password which is exactly the opposite of what I'm trying to achieve. Is there a good way to prevent password log-in (so I can only access the homebrew account via a local admin account)?
2. Is there a cleaner way to create the homebrew sandbox account other than creating a regular account and turning stuff off? The account needs to be a "user", but not a real user.

Installation notes:

Homebrew tries to set the remote to https://github.com/Homebrew/brew . I could not get this to accept my user name and password while running effectively headless. I got it to work by setting up ssh keys and then setting HOMEBREW_BREW_GIT_REMOTE and HOMEBREW_CORE_GIT_REMOTE, to git@github.com:Homebrew/brew.git but this required trawling the install script.

[gromgit]

the homebrew docs don't tell me how to do it

That's likely because:

1. if you're going down this route, you're expected to know what you're doing
2. all the world's not /etc/passwd--macOS (and many enterprise Linux setups) use directory services, which are a rather different kettle of fish, and not everyone uses the same brand of directory services

Is there a good way to prevent password log-in (so I can only access the homebrew account via a local admin account)?

No, because reason [2] above. However, there's a cross-platform way to get the same effect: set the account password to a random string of decent length (I suggest at least 16 characters, generated by a password manager), then throw that password away.

Is there a cleaner way to create the homebrew sandbox account other than creating a regular account and turning stuff off?

Sure. You could just create a normal user account and not turn stuff off. Why do you feel the need to hide that account?

Personally, I'd:

1. Install Homebrew in the official way with an existing admin account
2. Create a new account (say, hb), with random password to be forgotten
3. Add eval "$(/path/to/brew shellenv)" to hb's shell startup files
4. chown -R hb: $(brew --prefix)

Homebrew tries to set the remote to https://github.com/Homebrew/brew . I could not get this to accept my user name and password while running effectively headless.

Sounds like you've got an over-broad insteadOf clause in your .gitconfig. If you're doing something like this:

[url "git@github.com:"]
        insteadOf = https://github.com/

then you're forcing git to access all of GitHub via credentialed SSH, which seems a bit excessive. That's why I do this instead:

[url "github_gromgit:gromgit/"]
        insteadOf = https://github.com/gromgit/

which just replaces URLs to my own account with my local SSH host shortcut. After all, I neither need nor intend to modify Homebrew's own repos.