-
Notifications
You must be signed in to change notification settings - Fork 718
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
zsh compinit: insecure directories and files on macos catalina when using sudo #680
Comments
From ZSHs website on what compaudit does:
This issue sounds similar to #433, where a few methods were proposed to solve the issue. There is also a SO post with a few solutions here. My guess is zsh thinks potentially dangerous files could be loaded and is, therefore, taking steps to try and prevent that. I'd give the threads above a look to see if any of the solutions work for you based on what files or directories are being designated as insecure when you run |
@MaximDevoir But, still setting ownership to /usr/local/share/zsh does sound strange to me, cause it suppose to be a PUBLIC directory, not only belongs to one account. Best regards, |
Yeah, I guess it makes sense for ZSH to complain about insecure files while executing as root; zsh sourcing public/writable files and directories. You could set the ZSH_DISABLE_COMPFIX="true" From Marc in ohmyzsh/ohmyzsh#6835 (comment):
|
I used |
Wow, I just tried this and my Mac instantly rebooted. Now it's stuck in an endless reboot cycle. I guess that's a lesson in not trying random things one finds online... UPDATE: Well, after about 2 or 3 dozen restarts, it finally booted. Maybe this was unrelated and just very unlucky timing with entering that command. I had agreed to a software update about an hour or two prior to this, but I find it strange it rebooted exactly as I pressed enter on this command. Anyway, the "insecure directories" warning is gone now, lol. Mac OS is not my primary OS so I am not used to its peculiarities. |
This worked for me! Thanks @pvinis |
Interesting. In my case I had some homebrew installed stuff is /usr/local/share/zsh directory. When I removed that as zsh is native to MacOS the problem went away. The other solutions above did not work. Anyone know what I will be missing if anything deleting the above. Much of what was complained about were soft links to somewhere in homebrew managed stuff. I am not sure what initially added these. Something I did over a month ago. |
like @nandorojo, this also solved my problem |
As my user is the owner of the files which compaudit complains about, I only get the warnings when running as root, ie. after sudo -s. The proposed solutions in #433 all entail changing the owner of files. I want my user to own files in /usr/local/share, but also want to occasionally run things as different users, or root. Why zsh doesn't support this I don't understand. Only solution appears to be to disable compaudit. This is undesirable |
@benorgera I have the same issue. My machine has a profile for my own projects, and for my job. |
Worked for me too |
@benorgera @nldoty I have a similar situation. I have admin and non-admin user accounts on my macOS work machine. For security purposes (supposedly), I have to do my day-to-day-work with the non-admin account, and only use the admin account for tasks which require those perms, like software upgrades. This means my Zsh installation, and all related directories, are owned by the admin account, and I can't simply The solution is to ignore the insecure directories for the non-admin account, as described in the zsh docs and zsh-users/antigen@4c4f805: # ~/.zshrc
autoload -Uz compinit
if [ "$(whoami)" = "YOUR_NON_ADMIN_USER" ]; then
compinit -i # Ignore insecure directories
else
compinit
fi The non-admin account doesn't have permissions to perform any actions on the pertinent directories, so ignoring them doesn't pose a security risk that I'm aware of. |
Commit c496edb updated the Zsh completion initialization script. This resulted in an error for non-admin users: ``` zsh compinit: insecure directories and files, run compaudit for list. ``` I have admin and non-admin user accounts on my macOS work machine. For security purposes (supposedly), I have to do my day-to-day-work with the non-admin account, and only use the admin account for tasks requiring those perms, like software upgrades. This means my Zsh installation, and all related directories, are owned by the admin account, and I can't simply `chmod` and `chown` to the non-admin account. The solution is to ignore insecure directories on the non-admin account. ~/.zshrc: ```zsh autoload -Uz compinit if [ "$(whoami)" = "brendon.smith" ]; then compinit -i # Ignore insecure directories else compinit fi ``` The non-admin account doesn't have permissions to perform any actions on the pertinent directories, so ignoring them doesn't pose a security risk that I'm aware of. Also see zsh-users/zsh-completions#680.
if you used
the system will not notify you of the insecurities, we just have to change the writing permissions of the group and others depending on the case, go to
and put
or
|
I tried to explain what is the (simple) cause for that here: https://stackoverflow.com/a/63447799/687896 , so that we don't start just typing commands we don't really understand what is going on. Basically, ZSH expects system files to be owned and modifiable (w) by either you (the one running the shell) or root. |
This worked for me! Thanks! |
Adding |
Adding ZSH_DISABLE_COMPFIX="true" to my .zshrc did not work for me. Here are working options:
|
Thanks man, I had this issue after installing nvm |
Just using |
it worked, thanks! |
Commit c496edb updated the Zsh completion initialization script. This resulted in an error for non-admin users: ``` zsh compinit: insecure directories and files, run compaudit for list. ``` I have admin and non-admin user accounts on my macOS work machine. For security purposes (supposedly), I have to do my day-to-day-work with the non-admin account, and only use the admin account for tasks requiring those perms, like software upgrades. This means my Zsh installation, and all related directories, are owned by the admin account, and I can't simply `chmod` and `chown` to the non-admin account. The solution is to ignore insecure directories on the non-admin account. ~/.zshrc: ```zsh autoload -Uz compinit if [ "$(whoami)" = "brendon.smith" ]; then compinit -i # Ignore insecure directories else compinit fi ``` The non-admin account doesn't have permissions to perform any actions on the pertinent directories, so ignoring them doesn't pose a security risk that I'm aware of. Also see zsh-users/zsh-completions#680.
Read what chbrandt commented on 22 Aug |
|
It just work, by the way I come to this problem because I have reinstalled npm and install using nvm MacOS. That's great. |
The issue with Hombrew and Catalina, re-installing npm via NVM still persist. the command |
|
this config is helpful for me.thank you! |
Is there any issue with just removing write permissions for group from the directory (i.e., |
For me, some of the files were symlinks so I had to follow the symlink and update their permissions accordingly |
oh-my-zsh mentioned some potential issues with write access for the group and others, prob for security reasons. Below is the message I was getting. I cd to the directory oh-my-zsh mentioned as potentially insecure and applied the compaudit line it provided and it worked fine, so far.
Here is what oh-my-zsh printed to terminal: [oh-my-zsh] For safety, we will not load completions from these directories until [oh-my-zsh] To fix your permissions you can do so by disabling [oh-my-zsh] If the above didn't help or you want to skip the verification of |
Yep, nothing else worked for me. Thanks. |
Wow... what were the directories? Were they homebrew related like |
Wonderful. This worked for me |
Thanks a lot, this fixed the issue on Big Sur. |
In my case, running |
this works perfect, thanks @strongkyomu |
for all those who performing Please, consider that you have been warned, that you performing potentially harmful action, that can (but not necessary will, or not necessary right now) brake your system (or anything else) and/or may lead to your device being hacked |
bro at worst what could happen if u |
|
Came from google and use zsh on debian. |
I know, that it's really, really, really bad, but i fixed this by changing autoload -Uz compinit && compinit to autoload -Uz compinit && compinit -C Never do this if there are unmoderated functions somewhere inside fpath |
I am using MacOS catalina for a while and always get this REALLY annoying message when I use
sudo zsh
zsh compinit: insecure directories and files, run compaudit for list.
Ignore insecure directories and files and continue [y] or abort compinit [n]?
Is there even a way to avoid this?
Or maybe I should quit using zsh.
In my opinion a shell should be user independent.
The text was updated successfully, but these errors were encountered: