Fix macOS filesystem security: use /etc/paths.d/TinyTeX instead of touching /usr/local/bin

[Copilot]

TinyTeX was recursively changing ownership of /usr/local/bin (chown -R) — affecting all pre-existing binaries unrelated to TinyTeX — and creating symlinks from /usr/local/bin into the user's home directory. This PR eliminates all /usr/local/bin manipulation on macOS entirely.

Changes

R/install.R

• Remove check_local_bin() entirely — /usr/local/bin is no longer touched at all
• Update use_tinytex(): on macOS, write the TinyTeX bin path to /etc/paths.d/TinyTeX via osascript instead of running tlmgr path add
• osascript() is now used solely for the /etc/paths.d operation
• Updated documentation for add_path parameter and use_tinytex()

R/tlmgr.R

• Rewrote tlmgr_path(): on macOS, action = 'add' writes the TinyTeX bin directory path to /etc/paths.d/TinyTeX with admin privileges (via osascript); action = 'remove' deletes that file. On Linux/Windows the existing tlmgr path add/remove behavior is unchanged.

tools/install-bin-unix.sh

• Removed the macOS block that created /usr/local/bin and changed ownership
• On macOS: write the current bin directory to /etc/paths.d/TinyTeX via sudo tee
• On Linux: unchanged ./tlmgr path add

tools/install-unx.sh

• On macOS: same /etc/paths.d/TinyTeX approach (respecting the --admin --no-path flag)
• On Linux: unchanged tlmgr path add

# Before (R/install.R)
osascript(sprintf('chown -R %s:admin %s', user, p))  # recursive chown on /usr/local/bin
# + tlmgr path add  (creates symlinks in /usr/local/bin -> ~/Library/TinyTeX/bin/*)

# After (R/tlmgr.R - tlmgr_path on macOS)
bin = normalizePath(dirname(find_tlmgr()))
writeLines(bin, tmp <- tempfile(tmpdir = '/tmp'))
osascript(sprintf('cp %s /etc/paths.d/TinyTeX', tmp))  # no /usr/local/bin involved

Original prompt

---

This section details on the original issue you should resolve

<issue_title>fix filesystem security issues</issue_title>
<issue_description>From #24 (comment):

/usr/local/bin should be writable by default on (at least recent versions of) macOS.

Please no 🤦 . No R package should ever automatically/directly change permissions on a file/directory outside of the user's home directory¹, nor encourage it as a long-term solution. Further, your script is changing ownership for files that have nothing at all to do with TinyTex. Lastly, setting up symlinks from /usr/local/bin/ into any user's /Users/*/bin/ is as bad if not worse than changing the ownership of /usr/local/bin/; even if that one user keeps it up to date, it is bad practice and has risks.

There are two ways to do it "responsibly" (from an OS security mindset):

1. Setup a Homebrew formula so that it can be installed and managed in a central location /opt/homebrew/..., usable to all users, and does not allow users to access other users' home directory contents. The presumption here is that the setup of Homebrew is permitted by a local user, and if on a multi-user system, who can do what with brew is for them to decide (not an R package maintainer ... no offense intended).
   I confess that I don't know homebrew well enough to be able to help much with this approach.
2. Initially install completely to a local or temporary location, then use the ocascript "with administrator privileges" trick for moving everything to /usr/local/bin/ and /usr/local/share/TinyTex/, no symlinks required. This supports multi-users just as natively without any fearsome user-directory-breach nor any permanent side-effects such as from chown.

I might be willing to help with number 2, though I apologize it will not happen any time soon. But I think that's a much preferred way-forward than the current method.

As a temporary step, can you do one or more of the following:

1. Add what the original owner/group were changed from? On my system I think it's root:staff but I can't know now. This allows security-obsessed people like me to undo the change to what it was before.
2. There should be no need to recursively change all non-TinyTex contents of /usr/local/bin/ to be owned by me, please remove the -R from chown -R. (This should never have been needed in the first place, this removal should have zero effect on the installation.)
3. Once installation is done, undo the change (using ocascript a second time) on /usr/local/bin/ (again, no need for recursive changes).

^{1: When external non-R software is required, if *that* software has a script that handles multi-user situations, then that is IMO an acceptable solution. No software I've ever installed on linux ever attempted to change ownership of `/usr/local/bin`, for many good reasons. Now that I've moved to MacOS, I continue the unix-y security mindsets, most of which Apple agrees with.}

Comments on the Issue (you are @copilot in this section)

• Fixes fix filesystem security issues #463

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
1 out of 2 committers have signed the CLA.

✅ yihui
❌ Copilot
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[yihui]

instead of restoring ownership, let's use a different approach to solve the problem:

we don't tamper with /usr/local/bin at all, but use sudo only once to add TinyTeX's bin path to /etc/paths.d, e.g.

sudo echo path/to/TinyTeX/bin/* > /etc/paths.d/TinyTeX

then we should avoid tlmgr path add for macOS in all places; this command is called in several places in this package, some are through the R function tinytex::tlmgr_path() and some are tlmgr path add commands directly; please find out all of them and avoid them for macOS

the osascript() call in R should only do this /etc/paths.d operation and nothing else; i think we can get rid of check_local_bin() entirely since /usr/local/bin is no longer relevant

[Copilot]

instead of restoring ownership, let's use a different approach to solve the problem:

we don't tamper with /usr/local/bin at all, but use sudo only once to add TinyTeX's bin path to /etc/paths.d, e.g....

Done in eea0101.

The approach now:

• No /usr/local/bin changes at all — check_local_bin() is removed entirely
• On macOS, tlmgr_path('add') writes the TinyTeX bin dir path to /etc/paths.d/TinyTeX via osascript/sudo tee; tlmgr_path('remove') deletes that file
• On Linux/non-macOS, the existing tlmgr path add/remove behavior is unchanged
• All shell scripts (install-bin-unix.sh, install-unx.sh) have the same macOS/non-macOS split
• use_tinytex() on macOS also uses the /etc/paths.d approach instead of tlmgr path add
• osascript() is now only used for the /etc/paths.d operations