Ownership of /home/linuxbrew and several admin accounts

Hi!

ujust brew installs Homebrew in /home/linuxbrew/, and changes its ownership recursively to user and group of the user running ujust.

This limits running brew operations to the initial user.

I’m trying to create a setup with several users for separate KDE environment configurations. All these users are equally administrative, and should have possibility to run flatpak, ujust, and brew system commands.

To enable my setup in a simple way, I would need to utilize a group ownership for /home/linuxbrew/ , for example by making it owned by the default “wheel” group.

What do you think about this approach? Do you think it could be implemented in Bluefin?

Yeah if someone PRd a proper solution for this we’d likely accept it.

I kindly ask for a review of my approach before I proceed with MRs.

Using a dedicated group doesn’t work, as described here, regardless if it is a dedicated linuxbrew group, or an existing one like wheel.

I think I solved the issue by making three changes in different places of the system.

Change 1, install Homebrew as a dedicated user

In /usr/share/ublue-os/just/05-brew.just (source) create a new user account and run Homebrew installer as the new user:

(...)
        if [ "$ACCEPT" == "YES I UNDERSTAND" ]; then
          # Homebrew installed as a separate user
          # enables easy sudo alias on multi-account systems
          sudo useradd linuxbrew
          sudo chmod go+rx /home/linuxbrew # gives access to completion scripts
          sudo -Hu linuxbrew /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
        else
(...)

Change 2, alias “brew” to run as linuxbrew user

In file /etc/profile.d/brew.sh add the alias:

#!/usr/bin/env bash
alias brew='sudo -Hu linuxbrew /home/linuxbrew/.linuxbrew/Homebrew/bin/brew'
[[ -d /home/linuxbrew/.linuxbrew && $- == i ]] && eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"

Change 3, passwordless sudo for admins to run brew as linuxbrew

Create a file /etc/sudoers.d/brew-for-all with the following sudo rule:

# This drop-in enables all administrators to use Homebrew as linuxbrew user without password
%wheel  ALL=(linuxbrew) CWD=/tmp NOPASSWD: /home/linuxbrew/.linuxbrew/Homebrew/bin/brew

Homebrew needs a writable current working directory, and fortunately sudo has a CWD option for that.

A missing piece: migration of existing brew installations

Migration should be possible by retroactively creating a user with a home directory in /home/linuxbrew, and setting proper ownerships and permissions on the home directory recursively.

A question: what is this brew installation script for?

I wonder if this script also needs changes, any help appreciated:

ublue-os/bluefin/blob/main/build_files/brew.sh

Other fixes needed:

1. brew-upgrade system service. Fix: in /usr/lib/systemd/system/brew-upgrade.service, change line User=1000 to User=linuxbrew.
2. topgrade: doesn’t see the alias, I will try with a wrapper in /usr/local/bin.

Support for this kind of Homebrew installation has been implemented in the recently released Topgrade 16.

@j0rge, do you think it’s possible to upgrade topgrade in Aurora-dx 40 to the latest version?

Needs testing: fix: move to packaged topgrade by castrojo · Pull Request #1719 · ublue-os/bluefin · GitHub

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.