Security Issues using Homebrew or Macports, malicious binary insertion
Nicholas Papadonis
nick.papadonis.ml at gmail.com
Tue Nov 6 22:30:17 UTC 2018
Thanks for the quick reply.
Do you have any specific examples or facts which support these claims?
On Tue, Nov 6, 2018 at 10:27 AM Marius Schamschula <mschamschula at gmail.com>
wrote:
> I can't say that I'm a security expert, but have been a system
> administrator of *NIX systems for 23 years, and do follow a number of real
> security experts.
>
> You mention an obvious issue with installing binaries w/o root permission,
> no matter where in the directory structure. There are reasons why MacPorts,
> and for that matter Fink, don't install in /usr/local, but that has little
> to do with permissions. FreeBSD installs all local ports there, as do some
> Linux distros.
>
> Homebrew follows the path of least resistance to make things easy. But a
> what cost?
>
> On Tue, Nov 6, 2018 at 9:14 AM Nicholas Papadonis <
> nick.papadonis.ml at gmail.com> wrote:
>
>> This article goes into depth on how Homebrew opens OSX to a number of
>> security issues. I'm curious if a security expert could comment if similar
>> vulnerabilities exist with Macports.
>>
>> One vulnerability is a malicious program acquiring the administrators
>> password. The attack is opened up when Homebrew modifies /usr/local/bin
>> permissions for r/w by a non-root user. This permission change allows an
>> installed brew app to modify other binaries in this path, for instance
>> sudo. Homebrew defaults the path prefix as follows /usr/local/bin:/usr/bin
>> and therefore the malicious binary can take advantage of this by inserting
>> another fake malicious binary.
>>
>> The article is as follows:
>>
>> https://applehelpwriter.com/2018/03/21/how-homebrew-invites-users-to-get-pwned/
>> More vulnerabilities here:
>> https://hackerone.com/homebrew/
>>
>> The author claims that Macports is more secure because the installed
>> explicitly uses root privilege during package installation.
>>
>> Are there any security experts out there that can comment on the security
>> impact of using Homebrew and Macports? To be more secure should one use all
>> their Unix applications in a emulated Linux VirtualBox session?
>>
>> Thanks for any insight you may have.
>>
>> Nicholas
>>
>
>
> --
> Marius Schamschula
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macports.org/pipermail/macports-users/attachments/20181106/aec3fff3/attachment.html>
More information about the macports-users
mailing list