homebrew-cask: system_command: sudo commands fail when `-u root` and `-E` are specified

Verification

I understand that if I ignore these instructions, my issue may be closed without review.
I have retried my command with --force.
I ran brew update-reset && brew update and retried my command.
I ran brew doctor, fixed as many issues as possible and retried my command.
I have checked the instructions for reporting bugs.
I made doubly sure this is not a checksum does not match error.

Description of the issue

My company uses Cyberark solution to audit sudo access on OSX. Multiple cask installation fails for employees (i.e., virutalbox, temurin, pdk).

We’ve contacted Cyberark, and it seems that they have a problem with -u parameter for sudo. Is it necessary for casks installation to add it? (I tested without it, and it works). Cyberark should fix it - but maybe -u switch could be configurable. Does anybody have any ideas?

This was not an issue few weeks ago, but more casks got updated with -u now, and the problem is getting bigger.

About the error message: Execution blocked: bartosz.galek does not have Admin rights. Normally when I execute sudo I’ve got a prompt to fill in with justification:

sudo ls
Launch with elevated privileges
Justification: just testing

.DS_Store

Command that failed

brew install virtualbox

Output of command with `--verbose --debug`

brew reinstall --debug --verbose --cask --force virtualbox
/usr/local/Homebrew/Library/Homebrew/brew.rb (Cask::CaskLoader::FromAPILoader): loading virtualbox
==> Cask::Installer#install
/usr/local/Homebrew/Library/Homebrew/brew.rb (Cask::CaskLoader::FromTapLoader): loading homebrew/cask-versions/virtualbox-beta
==> Printing caveats
==> Cask::Installer#fetch
/usr/bin/env /usr/local/Homebrew/Library/Homebrew/shims/shared/curl --disable --cookie /dev/null --globoff --show-error --user-agent Homebrew/4.0.23-12-ge986264\ \(Macintosh\;\ Intel\ Mac\ OS\ X\ 13.4\)\ curl/7.88.1 --header Accept-Language:\ en --retry 3 --fail --location --silent --head https://raw.githubusercontent.com/Homebrew/homebrew-cask/e07e0a3b24a28f7d1da52354b65a1697e552ca9e/Casks/virtualbox.rb
/usr/bin/env /usr/local/Homebrew/Library/Homebrew/shims/shared/curl --disable --cookie /dev/null --globoff --show-error --user-agent Homebrew/4.0.23-12-ge986264\ \(Macintosh\;\ Intel\ Mac\ OS\ X\ 13.4\)\ curl/7.88.1 --header Accept-Language:\ en --retry 3 --fail --location --silent --head --request GET https://raw.githubusercontent.com/Homebrew/homebrew-cask/e07e0a3b24a28f7d1da52354b65a1697e552ca9e/Casks/virtualbox.rb
==> Downloading https://raw.githubusercontent.com/Homebrew/homebrew-cask/e07e0a3b24a28f7d1da52354b65a1697e552ca9e/Casks/virtualbox.rb
/usr/bin/env /usr/local/Homebrew/Library/Homebrew/shims/shared/curl --disable --cookie /dev/null --globoff --show-error --user-agent Homebrew/4.0.23-12-ge986264\ \(Macintosh\;\ Intel\ Mac\ OS\ X\ 13.4\)\ curl/7.88.1 --header Accept-Language:\ en --retry 3 --fail --location --silent --head --location --remote-time --output /Users/bartosz.galek/Library/Caches/Homebrew/downloads/54ce5c7c3a40a4db4559cd51bb33c85d457932806d38acd51c06e0c8c470307e--virtualbox.rb.incomplete https://raw.githubusercontent.com/Homebrew/homebrew-cask/e07e0a3b24a28f7d1da52354b65a1697e552ca9e/Casks/virtualbox.rb
/usr/bin/env /usr/local/Homebrew/Library/Homebrew/shims/shared/curl --disable --cookie /dev/null --globoff --show-error --user-agent Homebrew/4.0.23-12-ge986264\ \(Macintosh\;\ Intel\ Mac\ OS\ X\ 13.4\)\ curl/7.88.1 --header Accept-Language:\ en --retry 3 --fail --location --silent --head --request GET --location --remote-time --output /Users/bartosz.galek/Library/Caches/Homebrew/downloads/54ce5c7c3a40a4db4559cd51bb33c85d457932806d38acd51c06e0c8c470307e--virtualbox.rb.incomplete https://raw.githubusercontent.com/Homebrew/homebrew-cask/e07e0a3b24a28f7d1da52354b65a1697e552ca9e/Casks/virtualbox.rb
/usr/bin/env /usr/local/Homebrew/Library/Homebrew/shims/shared/curl --disable --cookie /dev/null --globoff --show-error --user-agent Homebrew/4.0.23-12-ge986264\ \(Macintosh\;\ Intel\ Mac\ OS\ X\ 13.4\)\ curl/7.88.1 --header Accept-Language:\ en --fail --connect-timeout 15 --retry 3 --location --remote-time --output /Users/bartosz.galek/Library/Caches/Homebrew/downloads/54ce5c7c3a40a4db4559cd51bb33c85d457932806d38acd51c06e0c8c470307e--virtualbox.rb.incomplete https://raw.githubusercontent.com/Homebrew/homebrew-cask/e07e0a3b24a28f7d1da52354b65a1697e552ca9e/Casks/virtualbox.rb
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2425  100  2425    0     0  23744      0 --:--:-- --:--:-- --:--:-- 26358
==> Verifying checksum for '54ce5c7c3a40a4db4559cd51bb33c85d457932806d38acd51c06e0c8c470307e--virtualbox.rb'
==> Downloading https://download.virtualbox.org/virtualbox/7.0.8/VirtualBox-7.0.8-156879-OSX.dmg
/usr/bin/env /usr/local/Homebrew/Library/Homebrew/shims/shared/curl --disable --cookie /dev/null --globoff --show-error --user-agent Homebrew/4.0.23-12-ge986264\ \(Macintosh\;\ Intel\ Mac\ OS\ X\ 13.4\)\ curl/7.88.1 --header Accept-Language:\ en --retry 3 --fail --location --silent --head https://download.virtualbox.org/virtualbox/7.0.8/VirtualBox-7.0.8-156879-OSX.dmg
/usr/bin/env /usr/local/Homebrew/Library/Homebrew/shims/shared/curl --disable --cookie /dev/null --globoff --show-error --user-agent Homebrew/4.0.23-12-ge986264\ \(Macintosh\;\ Intel\ Mac\ OS\ X\ 13.4\)\ curl/7.88.1 --header Accept-Language:\ en --retry 3 --fail --location --silent --head --request GET https://download.virtualbox.org/virtualbox/7.0.8/VirtualBox-7.0.8-156879-OSX.dmg
Already downloaded: /Users/bartosz.galek/Library/Caches/Homebrew/downloads/08af93128d6ff80757a49e5520255f42ccb578aae32e9528295abe42e7a7a431--VirtualBox-7.0.8-156879-OSX.dmg
==> Checking quarantine support
/usr/bin/env /usr/bin/xattr -h
/usr/bin/env /usr/bin/swift -target x86_64-apple-macosx13 /usr/local/Homebrew/Library/Homebrew/cask/utils/quarantine.swift
==> Quarantine is available.
==> Verifying Gatekeeper status of /Users/bartosz.galek/Library/Caches/Homebrew/downloads/08af93128d6ff80757a49e5520255f42ccb578aae32e9528295abe42e7a7a431--VirtualBox-7.0.8-156879-OSX.dmg
/usr/bin/env /usr/bin/xattr -p com.apple.quarantine /Users/bartosz.galek/Library/Caches/Homebrew/downloads/08af93128d6ff80757a49e5520255f42ccb578aae32e9528295abe42e7a7a431--VirtualBox-7.0.8-156879-OSX.dmg
==> /Users/bartosz.galek/Library/Caches/Homebrew/downloads/08af93128d6ff80757a49e5520255f42ccb578aae32e9528295abe42e7a7a431--VirtualBox-7.0.8-156879-OSX.dmg is quarantined
==> Verifying checksum for '08af93128d6ff80757a49e5520255f42ccb578aae32e9528295abe42e7a7a431--VirtualBox-7.0.8-156879-OSX.dmg'
/usr/bin/env tar --list --file /Users/bartosz.galek/Library/Caches/Homebrew/downloads/08af93128d6ff80757a49e5520255f42ccb578aae32e9528295abe42e7a7a431--VirtualBox-7.0.8-156879-OSX.dmg
/usr/bin/env hdiutil imageinfo -format /Users/bartosz.galek/Library/Caches/Homebrew/downloads/08af93128d6ff80757a49e5520255f42ccb578aae32e9528295abe42e7a7a431--VirtualBox-7.0.8-156879-OSX.dmg
==> Installing Cask virtualbox
==> Cask::Installer#stage
==> Extracting primary container
==> Using container class UnpackStrategy::Dmg for /Users/bartosz.galek/Library/Caches/Homebrew/downloads/08af93128d6ff80757a49e5520255f42ccb578aae32e9528295abe42e7a7a431--VirtualBox-7.0.8-156879-OSX.dmg
/usr/bin/env hdiutil attach -plist -nobrowse -readonly -mountrandom /private/tmp/d20230620-91848-j6bto3 /Users/bartosz.galek/Library/Caches/Homebrew/downloads/08af93128d6ff80757a49e5520255f42ccb578aae32e9528295abe42e7a7a431--VirtualBox-7.0.8-156879-OSX.dmg
/usr/bin/env find . -print0
/usr/bin/env mkbom -s -i /private/tmp/20230620-91848-22ud11.list -- /private/tmp/20230620-91848-1p4l4h1.bom
/usr/bin/env ditto --bom /private/tmp/20230620-91848-1p4l4h1.bom -- /private/tmp/d20230620-91848-j6bto3/dmg.LpO16C /private/tmp/d20230620-91848-1a900pu
/usr/bin/env diskutil info -plist /private/tmp/d20230620-91848-j6bto3/dmg.LpO16C
/usr/bin/env diskutil eject disk2s1
/usr/bin/env cp -pR /private/tmp/d20230620-91848-1a900pu/VirtualBox.pkg /usr/local/Caskroom/virtualbox/7.0.8,156879/VirtualBox.pkg
/usr/bin/env cp -pR /private/tmp/d20230620-91848-1a900pu/VirtualBox_Uninstall.tool /usr/local/Caskroom/virtualbox/7.0.8,156879/VirtualBox_Uninstall.tool
/usr/bin/env cp -pR /private/tmp/d20230620-91848-1a900pu/UserManual.pdf /usr/local/Caskroom/virtualbox/7.0.8,156879/UserManual.pdf
==> Verifying Gatekeeper status of /Users/bartosz.galek/Library/Caches/Homebrew/downloads/08af93128d6ff80757a49e5520255f42ccb578aae32e9528295abe42e7a7a431--VirtualBox-7.0.8-156879-OSX.dmg
/usr/bin/env /usr/bin/xattr -p com.apple.quarantine /Users/bartosz.galek/Library/Caches/Homebrew/downloads/08af93128d6ff80757a49e5520255f42ccb578aae32e9528295abe42e7a7a431--VirtualBox-7.0.8-156879-OSX.dmg
==> /Users/bartosz.galek/Library/Caches/Homebrew/downloads/08af93128d6ff80757a49e5520255f42ccb578aae32e9528295abe42e7a7a431--VirtualBox-7.0.8-156879-OSX.dmg is quarantined
==> Propagating quarantine from /Users/bartosz.galek/Library/Caches/Homebrew/downloads/08af93128d6ff80757a49e5520255f42ccb578aae32e9528295abe42e7a7a431--VirtualBox-7.0.8-156879-OSX.dmg to /usr/local/Caskroom/virtualbox/7.0.8,156879
/usr/bin/env /usr/bin/xattr -p com.apple.quarantine /Users/bartosz.galek/Library/Caches/Homebrew/downloads/08af93128d6ff80757a49e5520255f42ccb578aae32e9528295abe42e7a7a431--VirtualBox-7.0.8-156879-OSX.dmg
/usr/bin/env /usr/bin/xargs -0 -- /bin/chmod -h u\+w
/usr/bin/env /usr/bin/xargs -0 -- /usr/bin/xattr -w com.apple.quarantine 0181\;646b1be5\;Homebrew\\x20Cask\;35377D0E-B078-43F3-BE09-39E21F2EC664
==> Creating metadata directory: /usr/local/Caskroom/virtualbox/.metadata/7.0.8,156879/20230620110746.072
==> Creating metadata subdirectory: /usr/local/Caskroom/virtualbox/.metadata/7.0.8,156879/20230620110746.072/Casks
==> Installing artifacts
==> Installing artifact of class Cask::Artifact::Pkg
==> Running installer for virtualbox; your password may be necessary.
Package installers may write to any location; options such as `--appdir` are ignored.
/usr/bin/sudo -u root -E LOGNAME=bartosz.galek USER=bartosz.galek USERNAME=bartosz.galek -- /usr/sbin/installer -pkg /usr/local/Caskroom/virtualbox/7.0.8,156879/VirtualBox.pkg -target / -verboseR -applyChoiceChangesXML /private/tmp/choices20230620-91848-1i3d19s.xml
Execution blocked: bartosz.galek does not have Admin rights

==> Purging files for version 7.0.8,156879 of Cask virtualbox
Error: Failure while executing; `/usr/bin/sudo -u root -E LOGNAME=bartosz.galek USER=bartosz.galek USERNAME=bartosz.galek -- /usr/sbin/installer -pkg /usr/local/Caskroom/virtualbox/7.0.8,156879/VirtualBox.pkg -target / -verboseR -applyChoiceChangesXML /private/tmp/choices20230620-91848-1i3d19s.xml` exited with 1.
/usr/local/Homebrew/Library/Homebrew/system_command.rb:313:in `assert_success!'
/usr/local/Homebrew/Library/Homebrew/system_command.rb:59:in `run!'
/usr/local/Homebrew/Library/Homebrew/system_command.rb:34:in `run'
/usr/local/Homebrew/Library/Homebrew/system_command.rb:38:in `run!'
/usr/local/Homebrew/Library/Homebrew/cask/artifact/pkg.rb:65:in `block in run_installer'
/usr/local/Homebrew/Library/Homebrew/cask/artifact/pkg.rb:83:in `block in with_choices_file'
/System/Library/Frameworks/Ruby.framework/Versions/2.6/usr/lib/ruby/2.6.0/tempfile.rb:295:in `open'
/usr/local/Homebrew/Library/Homebrew/cask/artifact/pkg.rb:80:in `with_choices_file'
/usr/local/Homebrew/Library/Homebrew/cask/artifact/pkg.rb:58:in `run_installer'
/usr/local/Homebrew/Library/Homebrew/cask/artifact/pkg.rb:33:in `install_phase'
/usr/local/Homebrew/Library/Homebrew/cask/installer.rb:234:in `block in install_artifacts'
/usr/local/Homebrew/Library/Homebrew/cask/artifact_set.rb:14:in `each'
/usr/local/Homebrew/Library/Homebrew/cask/artifact_set.rb:14:in `each'
/usr/local/Homebrew/Library/Homebrew/cask/installer.rb:227:in `install_artifacts'
/usr/local/Homebrew/Library/Homebrew/cask/installer.rb:115:in `install'
/usr/local/Homebrew/Library/Homebrew/cask/reinstall.rb:31:in `block in reinstall_casks'
/usr/local/Homebrew/Library/Homebrew/cask/reinstall.rb:22:in `each'
/usr/local/Homebrew/Library/Homebrew/cask/reinstall.rb:22:in `reinstall_casks'
/usr/local/Homebrew/Library/Homebrew/cmd/reinstall.rb:170:in `reinstall'
/usr/local/Homebrew/Library/Homebrew/brew.rb:94:in `<main>'

Output of `brew doctor` and `brew config`

brew doctor
Your system is ready to brew.

Output of `brew tap`

brew tap
adoptopenjdk/openjdk
atlassian/tap
homebrew/bundle
homebrew/cask
homebrew/cask-versions
homebrew/core
homebrew/services
microsoft/mssql-release
mongodb/brew
ngrok/ngrok
zachwick/license

About this issue

Original URL
State: closed
Created a year ago
Comments: 31 (17 by maintainers)

Most upvoted comments

Thank you so much for your patience, @Kentzo! This was super helpful and much appreciated.

razvanazamfirei on Jun 20, 2023

@Kentzo Thank you for your research!

With the power of the opensource community - I summon the CyberArk team: @infamousjoeg @jodyhuntatx @jeniaSakirko @jtuttle @rafis3 @orenbm!

Maybe we can come up with a fix 😉

bgalek on Jun 20, 2023

/etc/sudo.conf and /etc/pam.d/sudo please.

Kentzo on Jun 20, 2023

dscacheutil -q group -a name _cyberarkepm_sudoers too, please

Kentzo on Jun 20, 2023

sudo sudo -V

Launch with elevated privileges
Justification: sudo -v

Sudo version 1.9.5p2
Configure options: --with-password-timeout=0 --disable-setreuid --with-env-editor --with-pam --with-libraries=bsm --with-noexec=no --sysconfdir=/private/etc --without-lecture --enable-static-sudoers --with-rundir=/var/db/sudo
Sudoers policy plugin version 1.9.5p2
Sudoers file grammar version 48

Sudoers path: /etc/sudoers
Authentication methods: 'pam'
Syslog facility if syslog is being used for logging: authpriv
Syslog priority to use when user authenticates successfully: notice
Syslog priority to use when user authenticates unsuccessfully: alert
Send mail if the user is not in sudoers
Lecture user the first time they run sudo
File containing the sudo lecture: /etc/sudo_lecture
Require users to authenticate by default
Root may run sudo
Allow some information gathering to give useful error messages
Visudo will honor the EDITOR environment variable
Set the LOGNAME and USER environment variables
Length at which to wrap log file lines (0 for no wrap): 80
Authentication timestamp timeout: 0.0 minutes
Password prompt timeout: 0.0 minutes
Number of tries to enter a password: 3
Umask to use or 0777 to use user's: 022
Path to mail program: /usr/sbin/sendmail
Flags for mail program: -t
Address to send mail to: root
Subject line for mail messages: *** SECURITY information for %h ***
Incorrect password message: Sorry, try again.
Path to lecture status dir: /var/db/sudo/lectured
Path to authentication timestamp dir: /var/db/sudo/ts
Default password prompt: Password:
Default user to run commands as: root
Value to override user's $PATH with: /usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/Applications/CyberArk EPM.app/Contents/Helpers
Path to the editor for use by visudo: /usr/bin/vi
When to require a password for 'list' pseudocommand: any
When to require a password for 'verify' pseudocommand: all
File descriptors >= 3 will be closed before executing a command
Reset the environment to a default set of variables
Environment variables to check for safety:
	TZ
	TERM
	LINGUAS
	LC_*
	LANGUAGE
	LANG
	COLORTERM
Environment variables to remove:
	*=()*
	RUBYOPT
	RUBYLIB
	PYTHONUSERBASE
	PYTHONINSPECT
	PYTHONPATH
	PYTHONHOME
	TMPPREFIX
	ZDOTDIR
	READNULLCMD
	NULLCMD
	FPATH
	PERL5DB
	PERL5OPT
	PERL5LIB
	PERLLIB
	PERLIO_DEBUG
	JAVA_TOOL_OPTIONS
	SHELLOPTS
	BASHOPTS
	GLOBIGNORE
	PS4
	BASH_ENV
	ENV
	TERMCAP
	TERMPATH
	TERMINFO_DIRS
	TERMINFO
	DYLD_*
	_RLD*
	LD_*
	PATH_LOCALE
	NLSPATH
	HOSTALIASES
	RES_OPTIONS
	LOCALDOMAIN
	CDPATH
	IFS
Environment variables to preserve:
	MAIL
	HOME
	VISUAL
	EDITOR
	TZ
	SSH_AUTH_SOCK
	LSCOLORS
	COLUMNS
	LINES
	LC_TIME
	LC_NUMERIC
	LC_MONETARY
	LC_MESSAGES
	LC_CTYPE
	LC_COLLATE
	LC_ALL
	LANGUAGE
	LANG
	CHARSET
	__CF_USER_TEXT_ENCODING
	COLORTERM
	COLORFGBG
	BLOCKSIZE
	XAUTHORIZATION
	XAUTHORITY
	PS2
	PS1
	PATH
	LS_COLORS
	KRB5CCNAME
	HOSTNAME
	DISPLAY
	COLORS
Locale to use while parsing sudoers: C
Compress I/O logs using zlib
Directory in which to store input/output logs: /var/log/sudo-io
File in which to store the input/output log: %{seq}
Add an entry to the utmp/utmpx file when allocating a pty
PAM service name to use: sudo
PAM service name to use for login shells: sudo
Attempt to establish PAM credentials for the target user
Create a new PAM session for the command to run in
Perform PAM account validation management
Enable sudoers netgroup support
Check parent directories for writability when editing files with sudoedit
Allow commands to be run even if sudo cannot write to the audit log
Allow commands to be run even if sudo cannot write to the log file
Log entries larger than this value will be split into multiple syslog messages: 960
File mode to use for the I/O log files: 0600
Execute commands by file descriptor instead of by path: digest_only
Type of authentication timestamp record: tty
Ignore case when matching user names
Ignore case when matching group names
Log when a command is allowed by sudoers
Log when a command is denied by sudoers
Sudo log server timeout in seconds: 30
Enable SO_KEEPALIVE socket option on the socket connected to the logserver
Verify that the log server's certificate is valid
Set the pam remote user to the user running sudo
The format of logs to produce: sudo

Local IP address and netmask pairs:
	fe80::aede:48ff:fe00:1122/ffff:ffff:ffff:ffff::
	fe80::b09c:4aff:feb7:7007/ffff:ffff:ffff:ffff::
	fe80::475:66f7:a244:d1a0/ffff:ffff:ffff:ffff::
	192.168.50.91/255.255.255.0
	fe80::f046:59ff:fe3f:13d2/ffff:ffff:ffff:ffff::
	fe80::f046:59ff:fe3f:13d2/ffff:ffff:ffff:ffff::
	fe80::79e2:b3ca:577f:8d98/ffff:ffff:ffff:ffff::
	fe80::58a4:6003:cb93:1115/ffff:ffff:ffff:ffff::
	fe80::ce81:b1c:bd2c:69e/ffff:ffff:ffff:ffff::

Sudoers I/O plugin version 1.9.5p2
Sudoers audit plugin version 1.9.5p2

bgalek on Jun 20, 2023

sudo sudo -V too please.

Kentzo on Jun 20, 2023

sudo sudo cat /private/etc/sudoers.cyberark then 😃

Kentzo on Jun 20, 2023

What about sudo sudo cat /etc/sudoers as well as every file in /etc/sudoers.d/ (if any)?

Kentzo on Jun 20, 2023

@bgalek Could you run sudo -l (above you did sudo sudo -l)

Kentzo on Jun 20, 2023

@Kentzo @razvanazamfirei Thank you for looking into it! I provided the configurations you were talking about and some additional examples.

bgalek on Jun 20, 2023

Can you provide us with the output of brew config?