[MacPorts] #72554: Use of dscl triggers endpoint detection as a "A user's password hash was dumped"
MacPorts
noreply at macports.org
Fri May 30 12:46:36 UTC 2025
#72554: Use of dscl triggers endpoint detection as a "A user's password hash was
dumped"
---------------------------+--------------------
Reporter: infinitesteps | Owner: (none)
Type: defect | Status: new
Priority: Low | Milestone:
Component: ports | Version:
Keywords: | Port:
---------------------------+--------------------
An endpoint detection and response (EDR) agent blocked and reported `sudo
port selfupdate` because it uses dscl. I don't expect this to be fixed
necessarily but I wanted to report it because it might break macports on
systems using EDR. Apparently dscl can be used to dump a user's password
hash. The offending macports script seems to be merely creating/reading
the groupid for the macports group. Clearly it is a false positive and it
has been marked as such locally. I am not looking for solutions. Just
wanted to report this experience in case it might help others debug
problems - I see at least one ticket related to dscl failing.
--
Ticket URL: <https://trac.macports.org/ticket/72554>
MacPorts <https://www.macports.org/>
Ports system for macOS
More information about the macports-tickets
mailing list