Zsh Mailing List Archive
Messages sorted by:
Reverse Date,
Date,
Thread,
Author
[PATCH 1/1] compaudit: add ZSH_COMPLETION_USERS parameter
compaudit trusts completion files owned by root, $EUID, and (on
systems with /proc) the owner of the zsh executable. When a package
manager installs completions under a dedicated service account,
none of those match, and compaudit rejects the files on every
shell start. Users are left with 'compinit -u' (which skips the
audit entirely), chowning the files (not always possible), or
dismissing the prompt each time.
Add ZSH_COMPLETION_USERS, a colon-delimited list of usernames or
numeric UIDs appended to compaudit's trusted owners list:
export ZSH_COMPLETION_USERS="workbrew:nixbld"
Trust is opt-in: the user (or system admin) names the additional
trusted owners explicitly, and compaudit still rejects files that
are world- or group-writable. The list can be set per-user in
~/.zshenv or system-wide in /etc/zshenv.
This generalizes exceptions already present in compaudit: trust of
the zsh executable's owner, and the Debian-specific trust of the
'staff' group for /usr/local.
Usernames are resolved with 'id -u' rather than 'getent passwd'.
The getent shim compaudit defines for systems without a real getent
cannot resolve 'passwd' entries on macOS, so 'id -u' avoids the
need for a separate fallback.
---
Completion/compaudit | 27 +++++++++++++++++++++++++++
Doc/Zsh/params.yo | 14 ++++++++++++++
2 files changed, 41 insertions(+)
diff --git a/Completion/compaudit b/Completion/compaudit
index 93a0431..008c892 100644
--- a/Completion/compaudit
+++ b/Completion/compaudit
@@ -89,6 +89,33 @@ fi
# present process.
local _i_owners="u0u${EUID}"
+# If ZSH_COMPLETION_USERS is set, add those users to the trusted owners list.
+# This allows system administrators to designate additional users (such as
+# package manager service accounts) as trusted completion file owners.
+#
+# The parameter should contain a colon-delimited list of usernames or numeric
+# UIDs, for example:
+# export ZSH_COMPLETION_USERS="workbrew:nixbld:1001"
+if [[ -n "$ZSH_COMPLETION_USERS" ]]; then
+ local _i_user _i_uid
+ for _i_user in ${(s.:.)ZSH_COMPLETION_USERS}; do
+ if [[ $_i_user == <-> ]]; then
+ # Numeric UID provided directly
+ _i_owners+="u${_i_user}"
+ else
+ # Username provided, resolve to UID via id command
+ # Using 'id -u' is more portable than getent and works with directory
+ # services on macOS, LDAP, etc.
+ _i_uid=$(id -u "$_i_user" 2>/dev/null)
+ if [[ -n "$_i_uid" ]]; then
+ _i_owners+="u${_i_uid}"
+ else
+ print "compaudit: warning: user '$_i_user' from \$ZSH_COMPLETION_USERS not found" 1>&2
+ fi
+ fi
+ done
+fi
+
# Places we will look for a link to the executable
local -a _i_exes
_i_exes=(
diff --git a/Doc/Zsh/params.yo b/Doc/Zsh/params.yo
index a4dd1a2..7585350 100644
--- a/Doc/Zsh/params.yo
+++ b/Doc/Zsh/params.yo
@@ -1948,4 +1948,18 @@ when the prompt appears at the extreme bottom right of the screen.
Recent virtual terminals are more likely to handle this case correctly.
Some experimentation is necessary.
)
+vindex(ZSH_COMPLETION_USERS)
+item(tt(ZSH_COMPLETION_USERS))(
+A colon-delimited list of usernames or numeric UIDs designating additional
+users who are trusted to own completion system files and directories.
+By default, tt(compaudit) only trusts files owned by root or the current user.
+Setting this parameter allows completion files owned by other users (such as
+package manager service accounts) to be used without security warnings.
+
+For example, if a system package manager runs as user tt(workbrew):
+
+example(export ZSH_COMPLETION_USERS="workbrew")
+
+Multiple users may be specified: tt(export ZSH_COMPLETION_USERS="workbrew:nixbld:1001")
+)
enditem()
--
2.55.0
Messages sorted by:
Reverse Date,
Date,
Thread,
Author