Skip to content

Document sudo --reset-timestamp behavior #20022

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
1 task done
AliGhahraei opened this issue May 28, 2025 · 4 comments · Fixed by #20037
Closed
1 task done

Document sudo --reset-timestamp behavior #20022

AliGhahraei opened this issue May 28, 2025 · 4 comments · Fixed by #20037

Comments

@AliGhahraei
Copy link

AliGhahraei commented May 28, 2025
edited
Loading

Verification

Provide a detailed description of the proposed feature

Document the --reset-timestamp behavior as it can cause unexpected password re-prompts in interactive shells and scripts for people who don't know about it. My initial suggestion would be to add it to the post installation steps, the FAQ or both, but there could be a better place.

What is the motivation for the feature?

The timestamp resetting is a security feature added in this PR to prevent privilege escalation. However, it can cause unexpected issues if someone runs a script using brew or includes a brew command in their shell config and hasn't heard about it.

I ran into it today after struggling to pinpoint the root cause and I found multiple issues opened by others:

How will the feature be relevant to at least 90% of Homebrew users?

The feature is always present, so everyone can benefit from it being documented.

What alternatives to the feature have been considered?

As far as i could find, only the removal of the feature has been proposed. As this is not a possibility according to the Homebrew developers, I propose to document it instead.
@MikeMcQuaid
Copy link
Member

@AliGhahraei Thanks! What documentation did you look at/web searches did you make to try and find this out?

@MikeMcQuaid
Copy link
Member

MikeMcQuaid commented May 28, 2025
edited
Loading

Also CC @woodruffw @p-linnane in case you think it'd be acceptable to tone down this behaviour a bit to e.g. before anywhere that Homebrew or external commands/taps could run sudo?

@AliGhahraei
Copy link
Author

So my shell had this in its configuration:

eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"

I didn't know about this feature at the time, but I noticed that my password was being reset after every sudo invocation. I guess I could have tried to re-add my config line by line, but I thought either my sudo configuration or an external program was the issue instead.

I found out about the --reset-timestamp flag by chance and I used this to find out what was triggering it:

strace -f -e execve fish 2>&1 | grep -B10 'reset-timestamp'

Once it showed the brew call with the flag, I searched for reset-timestamp in the repo and found out about the feature with the CR where it was added. I also found the rest of the links I posted.

I added the eval line to my config when I was reading the post-installation steps, that's why I'm suggesting to document this feature there.

I specifically didn't request a removal due to the other closed issues, but I guess toning it down would work for me as well. Either way, it would help to document the outcome.

@AliGhahraei
Copy link
Author

I guess the Homebrew installation instructions for updating the sell configuration could mention this as well.

@MikeMcQuaid MikeMcQuaid mentioned this issue Jun 2, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

brew.sh: move sudo reset timestamp. Homebrew/brew
2 participants
@MikeMcQuaid @AliGhahraei