Discussion:
Security Issues using Homebrew or Macports, malicious binary insertion
(too old to reply)
Nicholas Papadonis
2018-11-06 15:14:31 UTC
Permalink
This article goes into depth on how Homebrew opens OSX to a number of
security issues. I'm curious if a security expert could comment if similar
vulnerabilities exist with Macports.

One vulnerability is a malicious program acquiring the administrators
password. The attack is opened up when Homebrew modifies /usr/local/bin
permissions for r/w by a non-root user. This permission change allows an
installed brew app to modify other binaries in this path, for instance
sudo. Homebrew defaults the path prefix as follows /usr/local/bin:/usr/bin
and therefore the malicious binary can take advantage of this by inserting
another fake malicious binary.

The article is as follows:
https://applehelpwriter.com/2018/03/21/how-homebrew-invites-users-to-get-pwned/
More vulnerabilities here:
https://hackerone.com/homebrew/

The author claims that Macports is more secure because the installed
explicitly uses root privilege during package installation.

Are there any security experts out there that can comment on the security
impact of using Homebrew and Macports? To be more secure should one use all
their Unix applications in a emulated Linux VirtualBox session?

Thanks for any insight you may have.

Nicholas
Marius Schamschula
2018-11-06 16:39:33 UTC
Permalink
I can't say that I'm a security expert, but have been a system administrator of *NIX systems for 23 years, and do follow the advice from a number of real security experts.

You mention an obvious issue with installing binaries w/o root permission, no matter where in the directory structure. There are reasons why MacPorts, and for that matter Fink, don't install in /usr/local, but those have little to do with permissions. FreeBSD installs all local ports there, as do some Linux distros, but always with root permissions.

Homebrew follows the path of least resistance to make things easy on the end user. But at what cost?
This article goes into depth on how Homebrew opens OSX to a number of security issues. I'm curious if a security expert could comment if similar vulnerabilities exist with Macports.
One vulnerability is a malicious program acquiring the administrators password. The attack is opened up when Homebrew modifies /usr/local/bin permissions for r/w by a non-root user. This permission change allows an installed brew app to modify other binaries in this path, for instance sudo. Homebrew defaults the path prefix as follows /usr/local/bin:/usr/bin and therefore the malicious binary can take advantage of this by inserting another fake malicious binary.
https://applehelpwriter.com/2018/03/21/how-homebrew-invites-users-to-get-pwned/ <https://applehelpwriter.com/2018/03/21/how-homebrew-invites-users-to-get-pwned/>
https://hackerone.com/homebrew/ <https://hackerone.com/homebrew/>
The author claims that Macports is more secure because the installed explicitly uses root privilege during package installation.
Are there any security experts out there that can comment on the security impact of using Homebrew and Macports? To be more secure should one use all their Unix applications in a emulated Linux VirtualBox session?
Thanks for any insight you may have.
Nicholas
Marius
--
Marius Schamschula
Ryan Schmidt
2018-11-06 17:54:33 UTC
Permalink
This article goes into depth on how Homebrew opens OSX to a number of security issues. I'm curious if a security expert could comment if similar vulnerabilities exist with Macports.
One vulnerability is a malicious program acquiring the administrators password. The attack is opened up when Homebrew modifies /usr/local/bin permissions for r/w by a non-root user. This permission change allows an installed brew app to modify other binaries in this path, for instance sudo. Homebrew defaults the path prefix as follows /usr/local/bin:/usr/bin and therefore the malicious binary can take advantage of this by inserting another fake malicious binary.
https://applehelpwriter.com/2018/03/21/how-homebrew-invites-users-to-get-pwned/
https://hackerone.com/homebrew/
The author claims that Macports is more secure because the installed explicitly uses root privilege during package installation.
Are there any security experts out there that can comment on the security impact of using Homebrew and Macports? To be more secure should one use all their Unix applications in a emulated Linux VirtualBox session?
Thanks for any insight you may have.
Installing MacPorts using the installer package posted on our web page requires an administrator password, and the files and directories it installs are owned by root, meaning nobody but an administrator can change them. It also creates a normal unprivileged user account called "macports" for MacPorts to use later.

Using MacPorts as installed in this way also requires an administrator password. The files MacPorts ports install are usually owned by root, though individual ports can make their own decisions about that. For example, a database server port might create a special user account to be used by the database server when it's running, and it might install an empty directory where the files that the database server will write can live, and the owner of that directory would be set to that new user account.

When you invoke the "port" command with "sudo" and provide your administrator password, MacPorts switches to the unprivileged "macports" user. At that point it no longer has root privileges so even if a malicious portfile were committed that tried to do this, it could not modify files outside of its build directory. MacPorts elevates back to root privileges when doing something that requires root access, for example for the final step that actually installs the files into the /opt/local prefix.

It is possible to build MacPorts from source configured not to use root access, and if you do that, you don't get the above protections. We don't recommend doing this.

MacPorts keeps track of what files each port installs and does not permit one port to overwrite another port's files (unless the user requests this by using the -f flag, so the user should refrain from habitually using this flag).
Ken Cunningham
2018-11-06 18:03:47 UTC
Permalink
Post by Ryan Schmidt
MacPorts keeps track of what files each port installs and does not permit one port to overwrite another port's files (unless the user requests this by using the -f flag, so the user should refrain from habitually using this flag).
It is also to be noted that homebrew can not suddenly change itself to deliver this degree of security without a fairly complete rehash of the way it works, and most/many/all of it's "advantages" of installing in /usr/local that have served to make it popular would then be totally lost, and most likely many/most/all of it's formulae would need to be rewritten to accommodate this change. Many of them at present assume things are found automatically in /usr/local .

homebrew has been popular because it's "easy" -- it's files in /usr/local are found without intervention by any compiler or shell. However, that does not come without costs.

MacPorts requires more work to specifically include certain include paths, library paths, and executable paths -- but that comes with some knowledge of what you're actually getting, and the security of knowing that it can't be messed with without your permission.

Tradeoffs.

Ken
Nicholas Papadonis
2018-11-06 22:28:48 UTC
Permalink
I notice source is located at:

https://www.macports.org/ports.php?by=all

Is there any specific way for one to reconcile the binaries Macports is
installing to the source code maintained by the project? Branch, tag,
marker etc?

Thanks
Post by Nicholas Papadonis
Post by Nicholas Papadonis
This article goes into depth on how Homebrew opens OSX to a number of
security issues. I'm curious if a security expert could comment if similar
vulnerabilities exist with Macports.
Post by Nicholas Papadonis
One vulnerability is a malicious program acquiring the administrators
password. The attack is opened up when Homebrew modifies /usr/local/bin
permissions for r/w by a non-root user. This permission change allows an
installed brew app to modify other binaries in this path, for instance
sudo. Homebrew defaults the path prefix as follows /usr/local/bin:/usr/bin
and therefore the malicious binary can take advantage of this by inserting
another fake malicious binary.
https://applehelpwriter.com/2018/03/21/how-homebrew-invites-users-to-get-pwned/
Post by Nicholas Papadonis
https://hackerone.com/homebrew/
The author claims that Macports is more secure because the installed
explicitly uses root privilege during package installation.
Post by Nicholas Papadonis
Are there any security experts out there that can comment on the
security impact of using Homebrew and Macports? To be more secure should
one use all their Unix applications in a emulated Linux VirtualBox session?
Post by Nicholas Papadonis
Thanks for any insight you may have.
Installing MacPorts using the installer package posted on our web page
requires an administrator password, and the files and directories it
installs are owned by root, meaning nobody but an administrator can change
them. It also creates a normal unprivileged user account called "macports"
for MacPorts to use later.
Using MacPorts as installed in this way also requires an administrator
password. The files MacPorts ports install are usually owned by root,
though individual ports can make their own decisions about that. For
example, a database server port might create a special user account to be
used by the database server when it's running, and it might install an
empty directory where the files that the database server will write can
live, and the owner of that directory would be set to that new user account.
When you invoke the "port" command with "sudo" and provide your
administrator password, MacPorts switches to the unprivileged "macports"
user. At that point it no longer has root privileges so even if a malicious
portfile were committed that tried to do this, it could not modify files
outside of its build directory. MacPorts elevates back to root privileges
when doing something that requires root access, for example for the final
step that actually installs the files into the /opt/local prefix.
It is possible to build MacPorts from source configured not to use root
access, and if you do that, you don't get the above protections. We don't
recommend doing this.
MacPorts keeps track of what files each port installs and does not permit
one port to overwrite another port's files (unless the user requests this
by using the -f flag, so the user should refrain from habitually using this
flag).
Nicholas Papadonis
2018-11-06 22:29:41 UTC
Permalink
I appreciate the detailed description.

Do you know anything about the process to integrate new source code, review
changes that are Mac specific, mark branches stable, build and release? Do
particular users have privileged access to be part of this process?

I suspect this is an issue with any open source project, however am curious
how MacPorts itself ensures the code from the project makes it to release
as original as possible. I hope these are the right questions to ask form
a security standpoint.

Thanks
Post by Nicholas Papadonis
Post by Nicholas Papadonis
This article goes into depth on how Homebrew opens OSX to a number of
security issues. I'm curious if a security expert could comment if similar
vulnerabilities exist with Macports.
Post by Nicholas Papadonis
One vulnerability is a malicious program acquiring the administrators
password. The attack is opened up when Homebrew modifies /usr/local/bin
permissions for r/w by a non-root user. This permission change allows an
installed brew app to modify other binaries in this path, for instance
sudo. Homebrew defaults the path prefix as follows /usr/local/bin:/usr/bin
and therefore the malicious binary can take advantage of this by inserting
another fake malicious binary.
https://applehelpwriter.com/2018/03/21/how-homebrew-invites-users-to-get-pwned/
Post by Nicholas Papadonis
https://hackerone.com/homebrew/
The author claims that Macports is more secure because the installed
explicitly uses root privilege during package installation.
Post by Nicholas Papadonis
Are there any security experts out there that can comment on the
security impact of using Homebrew and Macports? To be more secure should
one use all their Unix applications in a emulated Linux VirtualBox session?
Post by Nicholas Papadonis
Thanks for any insight you may have.
Installing MacPorts using the installer package posted on our web page
requires an administrator password, and the files and directories it
installs are owned by root, meaning nobody but an administrator can change
them. It also creates a normal unprivileged user account called "macports"
for MacPorts to use later.
Using MacPorts as installed in this way also requires an administrator
password. The files MacPorts ports install are usually owned by root,
though individual ports can make their own decisions about that. For
example, a database server port might create a special user account to be
used by the database server when it's running, and it might install an
empty directory where the files that the database server will write can
live, and the owner of that directory would be set to that new user account.
When you invoke the "port" command with "sudo" and provide your
administrator password, MacPorts switches to the unprivileged "macports"
user. At that point it no longer has root privileges so even if a malicious
portfile were committed that tried to do this, it could not modify files
outside of its build directory. MacPorts elevates back to root privileges
when doing something that requires root access, for example for the final
step that actually installs the files into the /opt/local prefix.
It is possible to build MacPorts from source configured not to use root
access, and if you do that, you don't get the above protections. We don't
recommend doing this.
MacPorts keeps track of what files each port installs and does not permit
one port to overwrite another port's files (unless the user requests this
by using the -f flag, so the user should refrain from habitually using this
flag).
Rainer Müller
2018-11-11 18:31:01 UTC
Permalink
Post by Nicholas Papadonis
Do you know anything about the process to integrate new source code,
review changes that are Mac specific, mark branches stable, build and
release?  Do particular users have privileged access to be part of this
process?
There are no special privileges with regard to any part of the ports
tree or base development. All project members have the same access
level. Things that are only handled by the infrastructure team would be
server administration and ownership of the GitHub project.

Code review happens over pull requests on GitHub and also the mailing
list macports-changes [1], where all commits to base and ports are
announced. Note there are only a handful of regular base developers.

Creation of new base branches is usually announces on the macports-dev
mailing list. For new 2.x.0 releases, we usually have several release
candidates first, for which everyone should feel invited to test the
changes.
Post by Nicholas Papadonis
I suspect this is an issue with any open source project, however am
curious how MacPorts itself ensures the code from the project makes it
to release as original as possible.  I hope these are the right
questions to ask form a security standpoint.
Hm, I do not think there is anything special in place. Whoever signs a
MacPorts base release has also built the binaries. We have to trust the
release builder in the same way any user that receives such a package
installer has to trust them.

Rainer

[1] https://lists.macports.org/mailman/listinfo/macports-changes
[2] https://lists.macports.org/mailman/listinfo/macports-dev

Nicholas Papadonis
2018-11-06 23:09:58 UTC
Permalink
Do you know if there is a select group that reviews source changes to the
installer package and ports installer? This seems like a good entry point
to slip in malicious binaries as root. Therefore I'm curious if there is a
good security lock on it.

Thanks again for your help
Post by Nicholas Papadonis
Post by Nicholas Papadonis
This article goes into depth on how Homebrew opens OSX to a number of
security issues. I'm curious if a security expert could comment if similar
vulnerabilities exist with Macports.
Post by Nicholas Papadonis
One vulnerability is a malicious program acquiring the administrators
password. The attack is opened up when Homebrew modifies /usr/local/bin
permissions for r/w by a non-root user. This permission change allows an
installed brew app to modify other binaries in this path, for instance
sudo. Homebrew defaults the path prefix as follows /usr/local/bin:/usr/bin
and therefore the malicious binary can take advantage of this by inserting
another fake malicious binary.
https://applehelpwriter.com/2018/03/21/how-homebrew-invites-users-to-get-pwned/
Post by Nicholas Papadonis
https://hackerone.com/homebrew/
The author claims that Macports is more secure because the installed
explicitly uses root privilege during package installation.
Post by Nicholas Papadonis
Are there any security experts out there that can comment on the
security impact of using Homebrew and Macports? To be more secure should
one use all their Unix applications in a emulated Linux VirtualBox session?
Post by Nicholas Papadonis
Thanks for any insight you may have.
Installing MacPorts using the installer package posted on our web page
requires an administrator password, and the files and directories it
installs are owned by root, meaning nobody but an administrator can change
them. It also creates a normal unprivileged user account called "macports"
for MacPorts to use later.
Using MacPorts as installed in this way also requires an administrator
password. The files MacPorts ports install are usually owned by root,
though individual ports can make their own decisions about that. For
example, a database server port might create a special user account to be
used by the database server when it's running, and it might install an
empty directory where the files that the database server will write can
live, and the owner of that directory would be set to that new user account.
When you invoke the "port" command with "sudo" and provide your
administrator password, MacPorts switches to the unprivileged "macports"
user. At that point it no longer has root privileges so even if a malicious
portfile were committed that tried to do this, it could not modify files
outside of its build directory. MacPorts elevates back to root privileges
when doing something that requires root access, for example for the final
step that actually installs the files into the /opt/local prefix.
It is possible to build MacPorts from source configured not to use root
access, and if you do that, you don't get the above protections. We don't
recommend doing this.
MacPorts keeps track of what files each port installs and does not permit
one port to overwrite another port's files (unless the user requests this
by using the -f flag, so the user should refrain from habitually using this
flag).
Clemens Lang
2018-11-06 19:19:19 UTC
Permalink
Hi,
Post by Nicholas Papadonis
This article goes into depth on how Homebrew opens OSX to a number of
security issues. I'm curious if a security expert could comment if
similar vulnerabilities exist with Macports.
One vulnerability is a malicious program acquiring the administrators
password. The attack is opened up when Homebrew modifies
/usr/local/bin permissions for r/w by a non-root user. This permission
change allows an installed brew app to modify other binaries in this
path, for instance sudo. Homebrew defaults the path prefix as follows
/usr/local/bin:/usr/bin and therefore the malicious binary can take
advantage of this by inserting another fake malicious binary.
https://applehelpwriter.com/2018/03/21/how-homebrew-invites-users-to-get-pwned/
The article is accurate. But then again, dropping a binary into this
folder requires filesystem write privileges with your user account; if
somebody has those privileges they could instead modify your .bashrc to
include an alias for sudo that does the same thing. The situation does
become a bigger issue in multi-user systems, though, because at least
one user has write access to a folder that's on a different user's
$PATH.

It's considered best practice to not put user-writable paths on the
default search paths of all user accounts of your system, which is why
MacPorts defaults to a root-owned /opt/local/bin and /opt/local/sbin
folder (there is a non-root installation method for MacPorts available,
but let's not make this more complicated than it needs to be for now).

Homebrew say they do this so that they can build and install software
without superuser privileges, which improves security.

MacPorts on the other hand requires you to start installations as root
so it will be able to write into /opt/local. MacPorts tries to limit the
access an open source software's build system has to your system by
building (but not installing) as an unprivileged "macports" user and by
sandboxing the parts that need to run as root[1]. Effectively that means
software built under MacPorts cannot write data into your home directory
and is denied network access[2]. This privilege separation IMHO actually
improves security when compared to just building under your own user
account.
Post by Nicholas Papadonis
https://hackerone.com/homebrew/
The entries on this page that are visible to me do not seem to be
vulnerabilities in the software running on user's computers. Not sure
those apply in this discussion.
Post by Nicholas Papadonis
The author claims that Macports is more secure because the installed
explicitly uses root privilege during package installation.
Are there any security experts out there that can comment on the
security impact of using Homebrew and Macports? To be more secure
should one use all their Unix applications in a emulated Linux
VirtualBox session?
Security isn't always black and white. Depending on your level of
paranoia and your chance of being targeted running things in VMs can
make sense or massively slow down your work. I'm not prepared to make a
claim that running things in VMs is not necessary or that not running
things in VMs is not secure.

HTH,
Clemens

[1] Ideally also the 'make install' step wouldn't be run as root but
rather under an environment similar to fakeroot
(https://wiki.debian.org/FakeRoot) or pseudo
(https://www.yoctoproject.org/software-item/pseudo/). Unfortunately
LD_PRELOAD-based methods are nowadays of limited use on macOS and we
are currently not using them for this purpose.
[2] https://github.com/macports/macports-base/blob/master/src/port1.0/portsandbox.tcl
Nicholas Papadonis
2018-11-06 22:30:17 UTC
Permalink
Thanks for the quick reply.

Do you have any specific examples or facts which support these claims?
Post by Marius Schamschula
I can't say that I'm a security expert, but have been a system
administrator of *NIX systems for 23 years, and do follow a number of real
security experts.
You mention an obvious issue with installing binaries w/o root permission,
no matter where in the directory structure. There are reasons why MacPorts,
and for that matter Fink, don't install in /usr/local, but that has little
to do with permissions. FreeBSD installs all local ports there, as do some
Linux distros.
Homebrew follows the path of least resistance to make things easy. But a
what cost?
On Tue, Nov 6, 2018 at 9:14 AM Nicholas Papadonis <
Post by Nicholas Papadonis
This article goes into depth on how Homebrew opens OSX to a number of
security issues. I'm curious if a security expert could comment if similar
vulnerabilities exist with Macports.
One vulnerability is a malicious program acquiring the administrators
password. The attack is opened up when Homebrew modifies /usr/local/bin
permissions for r/w by a non-root user. This permission change allows an
installed brew app to modify other binaries in this path, for instance
sudo. Homebrew defaults the path prefix as follows /usr/local/bin:/usr/bin
and therefore the malicious binary can take advantage of this by inserting
another fake malicious binary.
https://applehelpwriter.com/2018/03/21/how-homebrew-invites-users-to-get-pwned/
https://hackerone.com/homebrew/
The author claims that Macports is more secure because the installed
explicitly uses root privilege during package installation.
Are there any security experts out there that can comment on the security
impact of using Homebrew and Macports? To be more secure should one use all
their Unix applications in a emulated Linux VirtualBox session?
Thanks for any insight you may have.
Nicholas
--
Marius Schamschula
Loading...