Thanks for the quick reply. Do you have any specific examples or facts which support these claims?
On Tue, Nov 6, 2018 at 10:27 AM Marius Schamschula <mschamsch...@gmail.com> wrote: > I can't say that I'm a security expert, but have been a system > administrator of *NIX systems for 23 years, and do follow a number of real > security experts. > > You mention an obvious issue with installing binaries w/o root permission, > no matter where in the directory structure. There are reasons why MacPorts, > and for that matter Fink, don't install in /usr/local, but that has little > to do with permissions. FreeBSD installs all local ports there, as do some > Linux distros. > > Homebrew follows the path of least resistance to make things easy. But a > what cost? > > On Tue, Nov 6, 2018 at 9:14 AM Nicholas Papadonis < > nick.papadonis...@gmail.com> wrote: > >> This article goes into depth on how Homebrew opens OSX to a number of >> security issues. I'm curious if a security expert could comment if similar >> vulnerabilities exist with Macports. >> >> One vulnerability is a malicious program acquiring the administrators >> password. The attack is opened up when Homebrew modifies /usr/local/bin >> permissions for r/w by a non-root user. This permission change allows an >> installed brew app to modify other binaries in this path, for instance >> sudo. Homebrew defaults the path prefix as follows /usr/local/bin:/usr/bin >> and therefore the malicious binary can take advantage of this by inserting >> another fake malicious binary. >> >> The article is as follows: >> >> https://applehelpwriter.com/2018/03/21/how-homebrew-invites-users-to-get-pwned/ >> More vulnerabilities here: >> https://hackerone.com/homebrew/ >> >> The author claims that Macports is more secure because the installed >> explicitly uses root privilege during package installation. >> >> Are there any security experts out there that can comment on the security >> impact of using Homebrew and Macports? To be more secure should one use all >> their Unix applications in a emulated Linux VirtualBox session? >> >> Thanks for any insight you may have. >> >> Nicholas >> > > > -- > Marius Schamschula >
