zplug icon indicating copy to clipboard operation
zplug copied to clipboard
verified publisher icon zplug

Deactivated security check at compinit

Open toadjaune opened this issue 8 years ago • 14 comments

toadjaune avatar Apr 21 '17 07:04 toadjaune

See https://github.com/zplug/zplug/issues/397 for explanations.

toadjaune avatar Apr 21 '17 07:04 toadjaune

Well, there is WIP in this P-R titile. What do you mean?

babarot avatar May 28 '17 15:05 babarot

I had put WIP in the title because in the initial PR, I had just completely disabled the security. I guess it doesn't make sense anymore since we seem to have a proper fix.

However, I'm a bit confused by the compinit line in core.zsh, which alwas has the security disabled. Is this because it's supposed to load a dump file already generated by load.zsh ?

toadjaune avatar Jun 03 '17 12:06 toadjaune

After re-reading the change request, I'm not sure what you guys are asking for : if [[ -n $UID ] && [ -n $SUDO_USER ]] ; then or if [[ -n $UID ]] && [[ -n $SUDO_USER ]] ; then ?

toadjaune avatar Jul 19 '17 03:07 toadjaune

I would say this: if [[ ${UID} -eq 0 ]] && [[ -n ${SUDO_USER} ]]; then If you are root "[[ ${UID} == 0 ]]" and used sudo to be it "[[ -n ${SUDO_USER} ]]" then disable security check

This will not work because syntax is wrong: if [[ -n $UID ] && [ -n $SUDO_USER ]] ; then

And both check a condition that doesn't matter: if [[ -n $UID ]] && [[ -n $SUDO_USER ]] ; then $UID is always set

NemesisRE avatar Jul 19 '17 08:07 NemesisRE

Changed according to your latest suggestion, @NemesisRE. Everybody happy with this ?

toadjaune avatar Jul 24 '17 08:07 toadjaune

LGTM

qrevel avatar Sep 18 '17 09:09 qrevel

I'll check it later

babarot avatar Sep 19 '17 07:09 babarot

@b4b4r07, any news ?

toadjaune avatar Oct 01 '17 16:10 toadjaune

How about a more generic COMPINIT_ARGS or otherwise open this up to more use cases?

I'd like to use this to solve the issue of multiple users + home-brew #428

g0t4 avatar May 07 '18 16:05 g0t4

@g0t4 I'm not sure about that. Providing a way to manually skip the security check seems sensible (since in edge cases such as yours, it's a blocking issue).

I feel however like the simple use of sudo is way more common, and should work out-of-the box, both in terms of usability and security (we're not talking about deleting the security check, but only remove the second execution)

Don't get me wrong, I agree that we need a manual override, I would just prefer to treat it as a separate issue.

toadjaune avatar Jun 11 '18 16:06 toadjaune

This is still an annoying issue while using sudo.

How about a specific variable (maybe ZPLUG_COMPINIT_UNSECURE or something else) well documented and disabled by default.

Something like this:

if [ ${UID} ] && [ -n ${SUDO_USER} ] && [ "${ZPLUG_COMPINIT_UNSECURE}" = "1" ]

What do you think?

k0lter avatar Jan 04 '19 14:01 k0lter

any news on this issue?

The environment variable (either ZPLUG_COMPINIT_UNSECURE, ZSH_DISABLE_COMPFIX or COMPINIT_ARGS) diabled by default seems reasonable? what to you think?

k0lter avatar May 16 '20 11:05 k0lter

This is still something I always have to patch myself when using my zsh with zplug. :/

TiiFuchs avatar Oct 21 '20 21:10 TiiFuchs