Is Brew Safe From Security Standpoint?

(John Costanzo) #1

So I know at one point of time brew use to change the owner for the /usr/local directory from root:wheel. Does it still do this? I am just worried of the security whole this could create. Tried searching for answers but could not find any. Thanks


(Paul M Lambert) #2

Here’s what is on my system:

$ ls -ld /usr/local
drwxr-xr-x  16 root  wheel  512 Dec 14 16:33 /usr/local/

At one time Brew would check out its core repository to /usr/local/ directly. That is no longer the case. Now it checks every remote repository into /usr/local/Homebrew or a subdirectory.

The ownership of all the brew-managed directories under /usr/local/ is the installing user:

$ ls -l /usr/local
total 0
drwxrwxr-x   53 plambert  admin   1696 Mar 23 00:35 Caskroom/
drwxrwxr-x  223 plambert  admin   7136 Feb 15 16:54 Cellar/
drwxrwxr-x    4 plambert  admin    128 Feb  6 18:22 Frameworks/
drwxrwxr-x   20 plambert  admin    640 Mar 10 23:30 Homebrew/
drwxrwxr-x  909 plambert  admin  29088 Feb 15 16:54 bin/
drwxrwxr-x   34 plambert  admin   1088 Feb 15 16:54 etc/
drwxrwxr-x  222 plambert  admin   7104 Feb 15 16:54 include/
drwxrwxr-x  520 plambert  admin  16640 Feb 15 16:54 lib/
drwxrwxr-x  259 plambert  admin   8288 Feb 15 16:54 opt/
drwxrwxr-x    7 plambert  admin    224 Nov 22 02:56 sbin/
drwxrwxr-x   67 plambert  admin   2144 Feb 15 16:54 share/
drwxrwxr-x   12 plambert  admin    384 Jan  6 13:46 var/

I don’t know if that is different from a “stock” install; I suspect that Brew makes many of those directories itself at installation. Check the source code for the initial installer to see what it does?



(John Costanzo) #3

But here is the part that is scary

$ ls -ld /usr/local/bin
drwxrwxr-x  136 jcostanzo  admin  4352 Apr  6 21:11 /usr/local/bin

This is bad because /usr/local/bin is above /usr/bin in your path so a malicious script could add sudo to /usr/local/bin that would do the same thing as sudo but take your password and upload to a server.


(Mike McQuaid) #4

This is not specific to Homebrew but applies to any addition to your PATH in a user-writable directory e.g. rbenv, user-installed RubyGems. Homebrew itself uses the macOS sandbox to ensure that installation scripts cannot write outside their prefix.

In addition, if a malicious script/user can write to a user-writable directory then it is also able to already read/write/delete everything in your home directory which is likely to be sensitive.