Zsh Mailing List Archive
Messages sorted by: Reverse Date, Date, Thread, Author

[PATCH 1/1] compaudit: add ZSH_COMPLETION_USERS parameter



compaudit trusts completion files owned by root, $EUID, and (on
systems with /proc) the owner of the zsh executable. When a package
manager installs completions under a dedicated service account,
none of those match, and compaudit rejects the files on every
shell start. Users are left with 'compinit -u' (which skips the
audit entirely), chowning the files (not always possible), or
dismissing the prompt each time.

Add ZSH_COMPLETION_USERS, a colon-delimited list of usernames or
numeric UIDs appended to compaudit's trusted owners list:

  export ZSH_COMPLETION_USERS="workbrew:nixbld"

Trust is opt-in: the user (or system admin) names the additional
trusted owners explicitly, and compaudit still rejects files that
are world- or group-writable. The list can be set per-user in
~/.zshenv or system-wide in /etc/zshenv.

This generalizes exceptions already present in compaudit: trust of
the zsh executable's owner, and the Debian-specific trust of the
'staff' group for /usr/local.

Usernames are resolved with 'id -u' rather than 'getent passwd'.
The getent shim compaudit defines for systems without a real getent
cannot resolve 'passwd' entries on macOS, so 'id -u' avoids the
need for a separate fallback.
---
 Completion/compaudit | 27 +++++++++++++++++++++++++++
 Doc/Zsh/params.yo    | 14 ++++++++++++++
 2 files changed, 41 insertions(+)

diff --git a/Completion/compaudit b/Completion/compaudit
index 93a0431..008c892 100644
--- a/Completion/compaudit
+++ b/Completion/compaudit
@@ -89,6 +89,33 @@ fi
 # present process.
 local _i_owners="u0u${EUID}"
 
+# If ZSH_COMPLETION_USERS is set, add those users to the trusted owners list.
+# This allows system administrators to designate additional users (such as
+# package manager service accounts) as trusted completion file owners.
+#
+# The parameter should contain a colon-delimited list of usernames or numeric
+# UIDs, for example:
+#   export ZSH_COMPLETION_USERS="workbrew:nixbld:1001"
+if [[ -n "$ZSH_COMPLETION_USERS" ]]; then
+  local _i_user _i_uid
+  for _i_user in ${(s.:.)ZSH_COMPLETION_USERS}; do
+    if [[ $_i_user == <-> ]]; then
+      # Numeric UID provided directly
+      _i_owners+="u${_i_user}"
+    else
+      # Username provided, resolve to UID via id command
+      # Using 'id -u' is more portable than getent and works with directory
+      # services on macOS, LDAP, etc.
+      _i_uid=$(id -u "$_i_user" 2>/dev/null)
+      if [[ -n "$_i_uid" ]]; then
+        _i_owners+="u${_i_uid}"
+      else
+        print "compaudit: warning: user '$_i_user' from \$ZSH_COMPLETION_USERS not found" 1>&2
+      fi
+    fi
+  done
+fi
+
 # Places we will look for a link to the executable
 local -a _i_exes
 _i_exes=(
diff --git a/Doc/Zsh/params.yo b/Doc/Zsh/params.yo
index a4dd1a2..7585350 100644
--- a/Doc/Zsh/params.yo
+++ b/Doc/Zsh/params.yo
@@ -1948,4 +1948,18 @@ when the prompt appears at the extreme bottom right of the screen.
 Recent virtual terminals are more likely to handle this case correctly.
 Some experimentation is necessary.
 )
+vindex(ZSH_COMPLETION_USERS)
+item(tt(ZSH_COMPLETION_USERS))(
+A colon-delimited list of usernames or numeric UIDs designating additional
+users who are trusted to own completion system files and directories.
+By default, tt(compaudit) only trusts files owned by root or the current user.
+Setting this parameter allows completion files owned by other users (such as
+package manager service accounts) to be used without security warnings.
+
+For example, if a system package manager runs as user tt(workbrew):
+
+example(export ZSH_COMPLETION_USERS="workbrew")
+
+Multiple users may be specified: tt(export ZSH_COMPLETION_USERS="workbrew:nixbld:1001")
+)
 enditem()
-- 
2.55.0





Messages sorted by: Reverse Date, Date, Thread, Author