Make clear that root password prompt is coming from sudo, not mkcert #578
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Given the sensitive nature of passwords of users with sudo privileges, I propose to preserve the default behaviour (and prompt) of sudo as the user may expect, and instead print an explanatory message stating that mkcert is re-running with sudo.
Issue #178 led to commit aa4dd61 which added the
--prompt Sudo password:argument to the sudo command when re-running with elevated permissions. While a reasonable solution to the potential "which password is required?" confusion users may face, for users unfamiliar with the--promptargument to sudo, it can cause concern that the user's password is being captured and processed by mkcert itself, and not by sudo (an insecure and unfortunately not uncommon action taken by some applications, like Zoom - see https://www.vmray.com/cyber-security-blog/zoom-macos-installer-analysis-good-apps-behaving-badly/).This PR seeks to make it clearer to users that the password prompt is coming from sudo and not mkcert, while still explaining to users which password is being requested.
(When first trying
mkcert -installand seeing the "Sudo password:" prompt, I worried that it would be capturing and saving my password for future elevation, and had to read the source to find out what was really happening - users less familiar with Go may have struggled with this).