MacOS – Homebrew permissions & multiple users needing to brew update

homebrewmacospermissionserver.app

I'm using Homebrew to manage package installs on Lion (Lion Server actually but this shouldn't matter).

Homebrew was installed under one user. Now a different user would like to add a package and Homebrew isn't happy:

$ brew update
fatal: Unable to create '/usr/local/.git/index.lock': Permission denied
Error: Failure while executing: git checkout -q master

Is this considered bad? I thought one of the advantages of using /usr/local/ for your installs was that you don't need sudo. But clearly we do.

All users who would need to modify Homebrew are members of admin group. So, I could chmod -R g+w /usr/local/ but afraid this will bork something or create security issues?!?

Advice?

$ ls -al /usr/local/.git/
total 432
drwxr-xr-x  14 ladmin  admin     476 Feb 24 11:48 .
drwxrwxr-x  14 root    admin     476 Feb  9 15:27 ..
-rw-r--r--   1 ladmin  admin      94 Feb 24 11:48 FETCH_HEAD
-rw-r--r--   1 ladmin  admin      23 Feb 24 11:48 HEAD
-rw-r--r--   1 ladmin  admin      41 Feb  9 15:28 ORIG_HEAD
drwxr-xr-x   2 ladmin  admin      68 Feb  9 15:27 branches
-rw-r--r--   1 ladmin  admin     218 Feb  9 15:27 config
-rw-r--r--   1 ladmin  admin      73 Feb  9 15:27 description
drwxr-xr-x  12 ladmin  admin     408 Feb  9 15:27 hooks
-rw-r--r--   1 ladmin  admin  200272 Feb 24 11:48 index
drwxr-xr-x   3 ladmin  admin     102 Feb  9 15:27 info
drwxr-xr-x   4 ladmin  admin     136 Feb  9 15:27 logs
drwxr-xr-x   4 ladmin  admin     136 Feb  9 15:27 objects
drwxr-xr-x   5 ladmin  admin     170 Feb  9 15:27 refs

Best Answer

Is this considered bad? I thought one of the advantages of using /usr/local/ for your installs was that you don't need sudo. But clearly we do.

Homebrew, by default, sets itself up for single-user access to /usr/local. So you need to open up the permissions on the directory tree for it to be administered by more than one person.

People don't need to run sudo here to administer homebrew. You just need to change some permissions. Since you already have:

All users who would need to modify Homebrew are members of admin group.

You need to do two more things:

Make sure everything under /usr/local belongs to the group admin; and
Make sure anyone from the group admin can write to anything under /usr/local.

In this case the changes to make are:

chgrp -R admin /usr/local
chmod -R g+w /usr/local
chgrp -R admin /Library/Caches/Homebrew
chmod -R g+w /Library/Caches/Homebrew

And any user from the admin group should be able to manage the homebrew installation on the machine. If you need to add a user to the admin group this can be accomplished like this:

 dseditgroup -o edit -a <username> -t user admin

(that user will need to login again to have the privileges granted).

For sanity on the machine, you may want to consider creating your own fork of Homebrew and have your local homebrew git repository point to the local fork. That lets you customize Homebrew for your environment and control the versions of packages that people are able to install with the brew command. With multiple people doing installs you could run in to version issues or dependency issues.

Ignore the permisson issue for now

I am experiencing the exact same problem and in my opinion the problem is in brew doctor rather than in your and my installation.

I think you should ignore the issue rather than changing the ownership of /usr/local. Alternatively, you could fix your local brew doctor script until a fix is released. See below.

I don't consider it correct to make /usr/local owned by a specific user. I have more than one admin user on this machine. You should leave /usr/local owned by root:admin as owner and group.

My investigation

Like for you I have a /usr/local that is perfectly writable by my user which is also a member of the admin group:

$ ls -ld /usr/local/
drwxrwxr-x  14 root  admin  476 22 Jun 23:33 /usr/local/
$ whoami
mgd
$ dscl . -read /Groups/admin GroupMembership
GroupMembership: root mgd rgd

Let's test that the dir is really writable:

$ ls -l /usr/local/newfile
ls: /usr/local/newfile: No such file or directory
$ touch /usr/local/newfile
$ ls -l /usr/local/newfile
-rw-r--r--  1 mgd  admin  0 23 Jun 14:52 /usr/local/newfile

Further investigation into the brew doctorcode led my to the conclusion that the use of the ruby function Pathname.writable? is causing the problem. Consider this interactive Ruby session:

$ irb
>> require 'pathname'
=> true
>> Pathname('/usr/local').writable?
=> false

Function Pathname.writable? says /usr/local is not writable even though we know it is.

Using Pathname.writable_real? instead gives the correct result – it says that the dir is writable:

>> Pathname('/usr/local').writable_real?
=> true

This should be fixed in /usr/local/Library/Homebrew/cmd/doctor.rb. You can fix it in your own installation while waiting for a fix.

The difference between the two functions are (according to the Ruby docs here and here):

writable?(file_name) → true or false: Returns true if the named file is writable by the effective user id of this process.

writable_real?(file_name) → true or false: Returns true if the named file is writable by the real user id of this process.

Homebrew: change name of group ownership in /usr/local/ so admins and standard users can brew

This can work if you also then make /usr/local/ and everything under it group-writable with chmod. The current permissions have them writable only by localadmin.

Yes, you will need to do something about the umask for users running brew. Otherwise users won't be able to modify stuff brewed by other users, even if they're both in the brewers group. You probably don't want to change their default umask, because then all the files they create would be group-writable, which is probably not what you want. You might use a custom wrapper script around the brew command which sets the umask to 002 for just the duration of that command, e.g. by doing the umask and brew calls in a subshell.

Best Answer

Related Solutions

MacOS – How to resolve permissions errors on OS X Lion after Homebrew install

Ignore the permisson issue for now

My investigation

Homebrew: change name of group ownership in /usr/local/ so admins and standard users can brew

Related Question