From 1fb3a2e20c04f6c5715283c1c731f5d4f743e860 Mon Sep 17 00:00:00 2001
From: Max Howell <max@methylblue.com>
Date: Fri, 29 Jul 2011 15:20:00 +0100
Subject: [PATCH] Ensure resulting /usr/local is not user writable

Because we should do as little modification to the system as possible.

Even though /usr/local doesn't exist on a virgin OS X, many tools create it, and some of them expect /usr/local to be root owned for security reasons.

This modification fixes Airfoil on systems where it is installed.

The result of this is we can no longer create new directories in the HOMEBREW_PREFIX unless we check and prompt for sudo first when required.
---
 install_homebrew.rb | 34 +++++++++++++++++++---------------
 1 file changed, 19 insertions(+), 15 deletions(-)

diff --git a/install_homebrew.rb b/install_homebrew.rb
index adc7882b96..7c103c0eae 100644
--- a/install_homebrew.rb
+++ b/install_homebrew.rb
@@ -70,12 +70,16 @@ puts "/usr/local/bin/brew"
 puts "/usr/local/Library/Formula/..."
 puts "/usr/local/Library/Homebrew/..."
 
-chmods = %w( . bin etc include lib lib/pkgconfig Library sbin share var var/log share/locale share/man
+chmods = %w( share/man lib/pkgconfig var/log share/locale
              share/man/man1 share/man/man2 share/man/man3 share/man/man4
              share/man/man5 share/man/man6 share/man/man7 share/man/man8
-             share/info share/doc share/aclocal ).
-            map{ |d| "/usr/local/#{d}" }.
-            select{ |d| File.directory? d and not File.writable? d }
+             share/info share/doc share/aclocal ).map{ |d| "/usr/local/#{d}" }
+root_dirs = []
+%w(bin Cellar etc include lib Library sbin share var .git).each do |d|
+  d = "/usr/local/#{d}"
+  if File.directory? d then chmods else root_dirs end << d
+end
+chmods = chmods.select{ |d| File.directory? d and not File.writable? d }
 chgrps = chmods.reject{ |d| File.stat(d).grpowned? }
 
 unless chmods.empty?
@@ -87,22 +91,19 @@ unless chgrps.empty?
   puts *chgrps
 end
 
+
 if STDIN.tty?
   puts
   puts "Press enter to continue"
   abort unless getc == 13
 end
 
-if File.directory? "/usr/local"
-  sudo "/bin/chmod", "g+w", *chmods unless chmods.empty?
-  # all admin users are in staff
-  sudo "/usr/bin/chgrp", "staff", *chgrps unless chgrps.empty?
-else
-  sudo "/bin/mkdir /usr/local"
-  sudo "/bin/chmod g+w /usr/local"
-  # the group is set to wheel by default for some reason
-  sudo "/usr/bin/chgrp staff /usr/local"
-end
+sudo "/bin/mkdir /usr/local" unless File.directory? "/usr/local"
+sudo "/bin/chmod o+w /usr/local"
+sudo "/bin/chmod", "g+w", *chmods unless chmods.empty?
+sudo "/usr/bin/chgrp", "staff", *chgrps unless chgrps.empty?
+system "/bin/mkdir", *root_dirs unless root_dirs.empty?
+
 
 Dir.chdir "/usr/local" do
   ohai "Downloading and Installing Homebrew..."
@@ -111,7 +112,10 @@ Dir.chdir "/usr/local" do
   system "/bin/bash -o pipefail -c '/usr/bin/curl -sSfL https://github.com/mxcl/homebrew/tarball/master | /usr/bin/tar xz -m --strip 1'"
 end
 
-ohai "Installation successful!"
+# we reset the permissions of /usr/local because we want to minimise the
+# amount of fiddling we do to the system. Some tools require /usr/local to be
+# by non-writable for non-root users.
+sudo "/bin/chmod o-w /usr/local"
 
 warn "/usr/local/bin is not in your PATH." unless ENV['PATH'].split(':').include? '/usr/local/bin'
 warn "Now install Xcode: http://developer.apple.com/technologies/xcode.html" unless Kernel.system "/usr/bin/which -s gcc"