Security Issues using Homebrew or Macports, malicious binary insertion

Tue Nov 6 19:19:19 UTC 2018

Hi,

On Tue, Nov 06, 2018 at 10:14:31AM -0500, Nicholas Papadonis wrote:
> This article goes into depth on how Homebrew opens OSX to a number of
> security issues. I'm curious if a security expert could comment if
> similar vulnerabilities exist with Macports.
> 
> One vulnerability is a malicious program acquiring the administrators
> password. The attack is opened up when Homebrew modifies
> /usr/local/bin permissions for r/w by a non-root user. This permission
> change allows an installed brew app to modify other binaries in this
> path, for instance sudo. Homebrew defaults the path prefix as follows
> /usr/local/bin:/usr/bin and therefore the malicious binary can take
> advantage of this by inserting another fake malicious binary.
> 
> The article is as follows:
> https://applehelpwriter.com/2018/03/21/how-homebrew-invites-users-to-get-pwned/

The article is accurate. But then again, dropping a binary into this
folder requires filesystem write privileges with your user account; if
somebody has those privileges they could instead modify your .bashrc to
include an alias for sudo that does the same thing. The situation does
become a bigger issue in multi-user systems, though, because at least
one user has write access to a folder that's on a different user's
$PATH.

It's considered best practice to not put user-writable paths on the
default search paths of all user accounts of your system, which is why
MacPorts defaults to a root-owned /opt/local/bin and /opt/local/sbin
folder (there is a non-root installation method for MacPorts available,
but let's not make this more complicated than it needs to be for now).

Homebrew say they do this so that they can build and install software
without superuser privileges, which improves security.

MacPorts on the other hand requires you to start installations as root
so it will be able to write into /opt/local. MacPorts tries to limit the
access an open source software's build system has to your system by
building (but not installing) as an unprivileged "macports" user and by
sandboxing the parts that need to run as root[1]. Effectively that means
software built under MacPorts cannot write data into your home directory
and is denied network access[2]. This privilege separation IMHO actually
improves security when compared to just building under your own user
account.

> More vulnerabilities here:
> https://hackerone.com/homebrew/

The entries on this page that are visible to me do not seem to be
vulnerabilities in the software running on user's computers. Not sure
those apply in this discussion.

> The author claims that Macports is more secure because the installed
> explicitly uses root privilege during package installation.
> 
> Are there any security experts out there that can comment on the
> security impact of using Homebrew and Macports? To be more secure
> should one use all their Unix applications in a emulated Linux
> VirtualBox session?

Security isn't always black and white. Depending on your level of
paranoia and your chance of being targeted running things in VMs can
make sense or massively slow down your work. I'm not prepared to make a
claim that running things in VMs is not necessary or that not running
things in VMs is not secure.

HTH,
Clemens

[1] Ideally also the 'make install' step wouldn't be run as root but
    rather under an environment similar to fakeroot
	(https://wiki.debian.org/FakeRoot) or pseudo
	(https://www.yoctoproject.org/software-item/pseudo/). Unfortunately
	LD_PRELOAD-based methods are nowadays of limited use on macOS and we
	are currently not using them for this purpose.
[2] https://github.com/macports/macports-base/blob/master/src/port1.0/portsandbox.tcl