Security Issues using Homebrew or Macports, malicious binary insertion

Marius Schamschula lists at schamschula.com
Tue Nov 6 16:39:33 UTC 2018


I can't say that I'm a security expert, but have been a system administrator of *NIX systems for 23 years, and do follow the advice from a number of real security experts.

You mention an obvious issue with installing binaries w/o root permission, no matter where in the directory structure. There are reasons why MacPorts, and for that matter Fink, don't install in /usr/local, but those have little to do with permissions. FreeBSD installs all local ports there, as do some Linux distros, but always with root permissions.

Homebrew follows the path of least resistance to make things easy on the end user. But at what cost?

> On Nov 6, 2018, at 9:14 AM, Nicholas Papadonis <nick.papadonis.ml at gmail.com> wrote:
> 
> This article goes into depth on how Homebrew opens OSX to a number of security issues. I'm curious if a security expert could comment if similar vulnerabilities exist with Macports.
> 
> One vulnerability is a malicious program acquiring the administrators password. The attack is opened up when Homebrew modifies /usr/local/bin permissions for r/w by a non-root user. This permission change allows an installed brew app to modify other binaries in this path, for instance sudo. Homebrew defaults the path prefix as follows /usr/local/bin:/usr/bin and therefore the malicious binary can take advantage of this by inserting another fake malicious binary.
> 
> The article is as follows:
> https://applehelpwriter.com/2018/03/21/how-homebrew-invites-users-to-get-pwned/ <https://applehelpwriter.com/2018/03/21/how-homebrew-invites-users-to-get-pwned/>
> More vulnerabilities here:
> https://hackerone.com/homebrew/ <https://hackerone.com/homebrew/>
> The author claims that Macports is more secure because the installed explicitly uses root privilege during package installation.
> 
> Are there any security experts out there that can comment on the security impact of using Homebrew and Macports? To be more secure should one use all their Unix applications in a emulated Linux VirtualBox session?
> 
> Thanks for any insight you may have.
> 
> Nicholas
> 

Marius
--
Marius Schamschula



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macports.org/pipermail/macports-users/attachments/20181106/e88ea76d/attachment.html>


More information about the macports-users mailing list