Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

darwin-rebuild: Don't prompt for sudo multiple times #1147

Open
wants to merge 11 commits into
base: master
Choose a base branch
from
34 changes: 20 additions & 14 deletions pkgs/nix-tools/darwin-rebuild.sh
Original file line number Diff line number Diff line change
Expand Up @@ -21,17 +21,18 @@ showSyntax() {
exit 1
}

sudo() {
# REMOVEME when support for macOS 10.13 is dropped
# macOS 10.13 does not support sudo --preserve-env so we make this conditional
if command sudo --help | grep -- --preserve-env= >/dev/null; then
# We use `env` before our command to ensure the preserved PATH gets checked
# when trying to resolve the command to execute
command sudo -H --preserve-env=PATH --preserve-env=SSH_CONNECTION env "$@"
else
command sudo -H "$@"
fi
}
# REMOVEME when support for macOS 10.13 is dropped
# macOS 10.13 does not support sudo --preserve-env so we make this conditional
if command sudo --help | grep -- --preserve-env= >/dev/null; then
# We use `env` before our command to ensure the preserved PATH gets checked
# when trying to resolve the command to execute
sudo_base="command sudo -H --preserve-env=PATH --preserve-env=SSH_CONNECTION"
sudo="$sudo_base env"
else
sudo_base="command sudo -H"
sudo="$sudo_base"
fi
sudo() { $sudo "$@"; }

# Parse the command line.
origArgs=("$@")
Expand Down Expand Up @@ -224,11 +225,16 @@ if [ "$action" = switch ]; then
fi

if [ "$action" = switch ] || [ "$action" = activate ] || [ "$action" = rollback ]; then
"$systemConfig/activate-user"

if [ "$USER" != root ]; then
sudo "$systemConfig/activate"
# Running `$systemConfig/activate-user` may cause subsequent sudo invocations to prompt
# for the password even if we previously ran sudo in the same session, since `brew` resets
# the sudo timestamp: see https://github.com/Homebrew/brew/pull/17694.
# Indeed, by this point we've already run `nix-env --set` as sudo. So to avoid prompting a
# second time, we become root *before* running activate-user and then drop down to the user
# to invoke it. This way, the call to `activate` doesn't require a password.
sudo @shell@ -c "$sudo_base -u $USER $systemConfig/activate-user && $systemConfig/activate"
else
"$systemConfig/activate-user"
"$systemConfig/activate"
fi
fi
Expand Down