I’d like to change rustup.sh to be more interactive, not require invocation under sudo, and instead run sudo itself when necessary. There are two main reasons:
- Security-minded people do not like us telling people to curl a script into a root shell.
-
rustup.sh has a lot of fiddly shell code, and most of it does not need to run as root. In some scenarios it leaves a
~/.rustup
directory around, and I’d rather that be under the user’s account than root.
My worry about making this change is mostly about deciding when to run sudo, since not all installations need to be run as root, not all environments can access the terminal, etc.
So I’ll lay out how it might work. Let me know where the gaps in my thinking are.
After the change we’ll tell people to run curl -s https://static.rust-lang.org/rustup.sh | sh
, without an explicit sudo
. rustup.sh
will itself call sudo to run the installer, but only in certain scenarios.
The first thing rustup.sh will do is print out a concise message explaining what it is going to do and giving the user an opportunity to abort. To avoid interactive mode callers can pass -y
or --yes
, which also turns off sudo (TODO: ok to conflate these two things?). Since this script is being piped into the shell, we can’t just read input from stdin. So, if in interactive mode, the first step is to open /dev/tty
. If that fails, exit. Otherwise print the message and wait for ‘y/n’ user input. This step of checking for an interactive terminal is necessary also for knowing whether we can sudo.
By default, rustup.sh will try to figure out whether it is appropriate to run sudo, and if so will either run sudo or error. To disable the sudo logic, the user can pass --disable-sudo
(TODO: similar to -y
)
To determine whether sudo is needed, rustup tries to write, then delete, a file in the prefix directory, the prefix bin directory, and the prefix lib directory. If this fails rustup.sh decides it needs to sudo. Either way rustup.sh prints a status message explaining the choice. There may be smarter ways to decide whether to sudo.
I think that’s the extent of the changes.
As an alternative, we might not try to detect when sudo is needed and just run it unconditionally, but say in the opening message, ‘we’re going to run sudo, if you don’t like that call it again with --disable-sudo’.