Hi, On Tue, Nov 06, 2018 at 10:14:31AM -0500, Nicholas Papadonis wrote: > This article goes into depth on how Homebrew opens OSX to a number of > security issues. I'm curious if a security expert could comment if > similar vulnerabilities exist with Macports. > > One vulnerability is a malicious program acquiring the administrators > password. The attack is opened up when Homebrew modifies > /usr/local/bin permissions for r/w by a non-root user. This permission > change allows an installed brew app to modify other binaries in this > path, for instance sudo. Homebrew defaults the path prefix as follows > /usr/local/bin:/usr/bin and therefore the malicious binary can take > advantage of this by inserting another fake malicious binary. > > The article is as follows: > https://applehelpwriter.com/2018/03/21/how-homebrew-invites-users-to-get-pwned/
The article is accurate. But then again, dropping a binary into this folder requires filesystem write privileges with your user account; if somebody has those privileges they could instead modify your .bashrc to include an alias for sudo that does the same thing. The situation does become a bigger issue in multi-user systems, though, because at least one user has write access to a folder that's on a different user's $PATH. It's considered best practice to not put user-writable paths on the default search paths of all user accounts of your system, which is why MacPorts defaults to a root-owned /opt/local/bin and /opt/local/sbin folder (there is a non-root installation method for MacPorts available, but let's not make this more complicated than it needs to be for now). Homebrew say they do this so that they can build and install software without superuser privileges, which improves security. MacPorts on the other hand requires you to start installations as root so it will be able to write into /opt/local. MacPorts tries to limit the access an open source software's build system has to your system by building (but not installing) as an unprivileged "macports" user and by sandboxing the parts that need to run as root[1]. Effectively that means software built under MacPorts cannot write data into your home directory and is denied network access[2]. This privilege separation IMHO actually improves security when compared to just building under your own user account. > More vulnerabilities here: > https://hackerone.com/homebrew/ The entries on this page that are visible to me do not seem to be vulnerabilities in the software running on user's computers. Not sure those apply in this discussion. > The author claims that Macports is more secure because the installed > explicitly uses root privilege during package installation. > > Are there any security experts out there that can comment on the > security impact of using Homebrew and Macports? To be more secure > should one use all their Unix applications in a emulated Linux > VirtualBox session? Security isn't always black and white. Depending on your level of paranoia and your chance of being targeted running things in VMs can make sense or massively slow down your work. I'm not prepared to make a claim that running things in VMs is not necessary or that not running things in VMs is not secure. HTH, Clemens [1] Ideally also the 'make install' step wouldn't be run as root but rather under an environment similar to fakeroot (https://wiki.debian.org/FakeRoot) or pseudo (https://www.yoctoproject.org/software-item/pseudo/). Unfortunately LD_PRELOAD-based methods are nowadays of limited use on macOS and we are currently not using them for this purpose. [2] https://github.com/macports/macports-base/blob/master/src/port1.0/portsandbox.tcl
