Security Issues using Homebrew or Macports, malicious binary insertion

Nicholas Papadonis at
Tue Nov 6 22:30:17 UTC 2018

Thanks for the quick reply.

Do you have any specific examples or facts which support these claims?

On Tue, Nov 6, 2018 at 10:27 AM Marius Schamschula <mschamschula at>

> I can't say that I'm a security expert, but have been a system
> administrator of *NIX systems for 23 years, and do follow a number of real
> security experts.
> You mention an obvious issue with installing binaries w/o root permission,
> no matter where in the directory structure. There are reasons why MacPorts,
> and for that matter Fink, don't install in /usr/local, but that has little
> to do with permissions. FreeBSD installs all local ports there, as do some
> Linux distros.
> Homebrew follows the path of least resistance to make things easy. But a
> what cost?
> On Tue, Nov 6, 2018 at 9:14 AM Nicholas Papadonis <
> at> wrote:
>> This article goes into depth on how Homebrew opens OSX to a number of
>> security issues. I'm curious if a security expert could comment if similar
>> vulnerabilities exist with Macports.
>> One vulnerability is a malicious program acquiring the administrators
>> password. The attack is opened up when Homebrew modifies /usr/local/bin
>> permissions for r/w by a non-root user. This permission change allows an
>> installed brew app to modify other binaries in this path, for instance
>> sudo. Homebrew defaults the path prefix as follows /usr/local/bin:/usr/bin
>> and therefore the malicious binary can take advantage of this by inserting
>> another fake malicious binary.
>> The article is as follows:
>> More vulnerabilities here:
>> The author claims that Macports is more secure because the installed
>> explicitly uses root privilege during package installation.
>> Are there any security experts out there that can comment on the security
>> impact of using Homebrew and Macports? To be more secure should one use all
>> their Unix applications in a emulated Linux VirtualBox session?
>> Thanks for any insight you may have.
>> Nicholas
> --
> Marius Schamschula
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the macports-users mailing list