Not at all a safe assumption. Most importantly, it's not that uncommon for even less experienced Mac users to copy and paste Terminal commands to solve one problem or another. A lot of those "Just type this!" solutions I've seen involve sudo somewhere.

But on top of that, maybe I don't understand your meaning here, but do you do a security audit on every line of every script that you ever run? Especially scripts that you run without sudo? I know that I don't.

"A lot of those "Just type this!" solutions I've seen involve sudo somewhere."

Not sure if you're alluding to this trick: http://thejh.net/misc/website-terminal-copy-paste

This particular exploit could be rather nasty when used in conjunction with the above.

Not even that. Lots of Mac help sites will include snippets of Bash code for the user to enter (say, something using rm to delete files the Finder is having trouble statting), and people will just enter those. You don't even need to do anything sneaky with the copy/paste process. Just offer some malicious code and expect the user to run it blindly since they wouldn't be coming to MacNoobHelp.com if they were capable of vetting for exploits.

Particularly installer scripts that are run by the trendy technique of

  curl -L http://www.example.com/some/cool/thing/install.sh | bash

Particularly risky if the protocol is not https. Even worse when the right-hand command is "sudo bash"

A few points:

- The default user created at setup of OSX is in the admin group.

- Certainly the 'has run sudo' is a bit of a restriction, but even running something like the Homebrew install script runs sudo. (Maybe 'users that run Homebrew without understanding sudo' is an even smaller restriction, but a few members of my research group live in exactly this intersection!)

- Do you habitually read every line of source code your computer would execute before you run that code?

I was unaware of being placed in the admin group by default. Is the admin group similar to the wheel group or is there also a wheel group for sudo access?

And yes, I very seldom run scripts copied from somebody else so when I do, I make sure I know what is being run. Granted, I'm a Linux and Windows user so the OSX philosophy might be different.

The admin group is what it's used for sudo by default.

You mean installing Homebrew itself? Because if you're running "sudo brew install foo" you're doing it wrong.

Yes. And nope, I'm not referring to 'sudo brew install'.

The main homebrew page says, 'run this ruby script'.

The ruby script is available at: https://raw.github.com/mxcl/homebrew/go

The script includes a sudo command.

To be fair, I hadn't read the script in detail when I wrote my post, just far enough to see there was a definition of a sudo function. On review, it looks like they either call it to chmod/chgrp HOMEBREW_PREFIX (sometimes), or run sudo to create the directories.

Fair enough. I think everyone agrees that the "download and execute a random gist" method of installation is not great.

I don't see any reason why it's worse than running a binary installer, and people seem to object to that a lot less for some reason.

Homebrew fails if you attempt to run it with sudo.

See my comment above. I'm not referring to running 'sudo homebrew ...', I'm talking about the installation, which has to run sudo to change some permissions in HOMEBREW_PREFIX.