Produce a warning when running R as admin or have write permissions to the system package library

[HenrikBengtsson]

Add an argument and option, possible make it the default, that causes startup::startup() to generate a warning:

WARNING: You are running R as an administrator, which means that you
will install R packages centrally, you might corrupt your operating
system from calling the wrong commands by mistakes, and malicious R
code will have full access to everything on your computer.

[pat-s]

Maybe this should/could also be discussed with the CRAN team?

It might potentially be helpful if this warning would include something like "indirectly through your 'admin' group membership". Not sure how to phrase this in a way that it is precise and short and understandable by the "average" rstats macOS user though as these usually do not know that UNIX groups are.

[HenrikBengtsson]

It might potentially be helpful if this warning would include something like "indirectly through your 'admin' group membership". Not sure how to phrase this in a way that it is precise and short and understandable by the "average" rstats macOS user though as these usually do not know that UNIX groups are.

So, from your https://twitter.com/pjs_228/status/1472324235230162946 comments, I now understand it as, most macOS users do not run as admin, but belongs to the admin Unix group which has write permission to lots of system folders. Running as admin is a bigger problem than having access to admin folders, but both are still problematic since they can wreak havoc on the system.

Ignoring what R itself could/should do for now, here in startup, I could also warn against write permissions in the system package library folder (rev(.libPaths())[1]), e.g.

WARNING: You ('alice') have write permission to the system library
folder ('/home/hb/software/R-devel/R-4-1-branch/lib/R/library').
There is a risk that you might remove base R packages by mistake.
Also, you do not appear to have a personal package library set up,
which means that any package you install will be installed to the
system package library.  For stability of R, it is often better to
install packages to a personal package library.

This can be tested for using:

file.access(rev(.libPaths())[1], mode = 2L)
/home/hb/software/R-devel/R-4-1-branch/lib/R/library 
                                                  -1 

Comment: Yes, I remove the write permission on the system library folder even when I install from source to my own home directory; this prevents me from mistakes and causes R to offer me a personal library folder (R_LIBS_USER), which then becomes .libPaths()[1].

[pat-s]

So, from your twitter.com/pjs_228/status/1472324235230162946 comments, I now understand it as, most macOS users do not run as admin, but belongs to the admin Unix group which has write permission to lots of system folders. Running as admin is a bigger problem than having access to admin folders, but both are still problematic since they can wreak havoc on the system.

Yes. I have not done research though yet if there is a practical difference between these two modes, i.e. if the admin group has less permissions in the end than running with sudo.

I could also warn against write permissions in the system package library folder

This seems like a great solution. The already existing {startup} messages have been good help for me in the past.

Comment: Yes, I remove the write permission on the system library folder even when I install from source to my own home directory; this prevents me from mistakes and causes R to offer me a personal library folder (R_LIBS_USER), which then becomes .libPaths()[1].

👍

[HenrikBengtsson]

Yes. I have not done research though yet if there is a practical difference between these two modes, i.e. if the admin group has less permissions in the end than running with sudo.

I guess, for example, that you could remove another user's files on the same system if you run as admin, but you can probably not remove those files if run as a regular user (unless they're also in the admin Unix group and give write permissions to that group).

I agree with you that, if this is the default behavior for all macOS users, the this might be something R itself should fix, but I don't know how yet. You said in your tweets that the files are ownred by root:admin. Does that mean that the installer ran as "root", e.g. is explicit or implicit sudo required to install R?