How to figure out what is causing the ownership of /usr/local to change from my-username to root

macos homebrew permission

I use homebrew as a package manager for certain web development app. To keep brew up-to-date I run update brew every couple of days and also run brew doctor. Usually, this is fine and brew tells me I'm ready to brew.

Every now and then, however, I get the following error:

Warning: /usr/local/etc isn't writable.

This can happen if you "sudo make install" software that isn't managed by by Homebrew. If a formula tries to write a file to this directory, the install will fail during the link step.

You should probably chown /usr/local/etc

Warning: The /usr/local directory is not writable. Even if this directory was writable when you installed Homebrew, other software may change permissions on this directory. Some versions of the "InstantOn" component of Airfoil are known to do this.

You should probably change the ownership and permissions of /usr/local back to your user account.

It's easy enough to reset the permissions back to my username. Afterwards brew seems to be fine.

But what is causing this to happen?

Is there a log that shows what is causing the permissions to change?


Solution 1:

I had this exact same issue, and it turns out Sophos auto-update was to blame. I figured this out by running: sudo fs_usage | grep "usr/local"

It took a while, but eventually I saw Sophos's helpfully named "Installation" daemon messing with /usr/local's permissions.

I'm still trying to figure out an appropriate work around for this behavior.

EDIT: I believe Sophos has fixed this issue, see the link in the comments of this answer. It seems to be fixed for me at least!

Solution 2:

Turns out Filewave is the culprit. Filewave is a system management software used by our school to push software updates. Thanks for the input.

Solution 3:

I have just a rough idea how get the permission thief. This is not a solution to your problem, but more some sort of workaround.

What about writing a watchdog in Automator or with Hazel (folder actions) for watching this particular folder but instead of adding a function like Scale images you just use a shellscript which executes several shell commands:

  • If the folder is changed in any way, just snapshot the permissions and the currently accessing process id with fuser <foldername>.
  • then you lookup in the process table the process id (ps auxwwwwww | grep <process id>) and finally
  • write an email to yourself with these collected informations.

Unfortunately I am no Automator sadhu, but I found out by Google there are plenty of solutions for such a similar problem.

Related

To prevent Text Wrap in OSX Terminal? [duplicate]
El Capitan /private/var/folders cache files consuming 30–40 GB
How do I stop people reading my iMessages as they come in?
Open app in background from Terminal
How can I set hourly reminder in Mac? If possible how to set my customised voice?
Change all photo durations at once in iMovie 10.1.1
Why does touch bar sometimes ignore first touch?
What if there is an error message that adoptopenjdk8 exists in multiple taps?
From which year do MacBook keyboards have no issues?
How can I ditch iTunes and find a suitable audio player?
What jabber clients are there for iPhone?
Can I disable the iPhone's auto-rotation to landscape mode?