Understanding homebrew 'no-sudo' philosophy and questioning FAQ

Having fresh install of OS X, I decided to install python package manager in proper way. So I started googling and found homebrew is the best way. Now I got two questions:

• from homebrew FAQ:

Homebrew is designed to work without using sudo.

However the install script asks for password. That's because the actual user is given permission to read,write,execute the usr/local... dirs as being admin's group member. Thus, instead of asking sudo each time, homebrew asks it once. Nevertheless the rules are broken since you have to use sudo yes or yes.

I was afraid of using sudo with python when installing packages. This is why I decided for homebrew. But isn't it the same actually?

If this is true, I see it unsafe to let homebrewed programs to do what the y want to do since they have root permissions.

• from homebrew FAQ:

/usr/local/bin is already in your PATH.

Then why I need to

insert the Homebrew directory at the top of your PATH

as it's said in http://docs.python-guide.org/en/latest/starting/install/osx/ ?

Commands homebrew's install script executed:

/usr/bin/sudo /bin/chmod g+rwx /usr/local/. /usr/local/include /usr/local/lib /usr/local/lib/pkgconfig

/usr/bin/sudo /usr/bin/chgrp admin /usr/local/. /usr/local/include /usr/local/lib /usr/local/lib/pkgconfig

Thank you terdon. You say that programs installed to elevated permissions directory don't inherit the permissions. 'brew' is the only file I got in /usr/local/bin. And it is admin's group. Then run it it's like run it with sudo. Won't it happen the same with the rest of the programs?

@slinzex that's not how permissions work. What you see, is that the file's owner is admin. Look at ls -l /bin/ls, you will see it is also owned by admin. That does not mean that it will run with admin privileges. It just means it belongs to admin. However, all executables run with the permissions of the user who executed them. If admin runs them, they will have admin privileges, if you run them, they will not. The only exception are cases where the SUID bit is set. Have a look here.

Thanks for very nice and useful refresher. The permissions over brew are -rwxr-xr-x. And the owner is "user" of the group "admin". And ls is owned by root. Then the user can rx, as well as root. Admin cannot write, as well as other. The user is in admin's group. Prior to install homebrew, usr/local was wheel's group. Now it's admin's. Before I had to use sudo to write there, now not, right? So in conclusion, what changed now with chmod g+rwx and chgrp admin /usr/local/. ?

@slinzex I'm afraid I have no idea what you're asking. If this is a new issue, please post a new question, this is not a forum. I don't know if you can write without seeing the whole permissions string and knowing your groups. If you ran chmod g+rwx and /usr/local/ then everyone in the admin group has read/write and execute access to /usr/local/ (not to any files and folders in there, only to /usr/local). The take home message is that programs run with the permissions of the user who launched them so installing with sudo will not affect the permissions of the programs when executed.

it's the same topic. The two commands I've mentioned is what homebrew's script did on my computer when installed. It asks for sudo password obviously. The thing I ask is: what is the purpose of that? To give brew permission to download and install programs here and thus write, read and execute them. Then if brew is owned by me, when I run it, it will be able to run any program it downloads and installs, and that program will run with my permissions as well? Couldn't this be dangerous? What I see is that prior having hb, I could control what's being executed there with sudo. Now I don't.

@slinzex those commands change the group of those files/folders to admin (chgrp) and give everyone of the group rwx permissions (chmod). This means that all users in the admin group will now have rwx access to the specified files. You still control, only users in the admin group have this access. If run by you, brew will be able to install things into those specific directories yes. I'm not sure I see what the issue is. This is veering away from your question and we try to avoid long comment threads here. Please post a new one asking specifically if it is safe to do what brew did.