1

I would like to use homebrew on my new M1 mac, but I am concerned about some of the potential security vulnerabilities associated with /usr/local/. Basically this:

https://applehelpwriter.com/2018/03/21/how-homebrew-invites-users-to-get-pwned/

It looks like some people have mitigated this for Intel Macs by installing homebrew on a dedicated non-root user account and restricting /usr/local/ write access to that user, like this:

Improving security of homebrew installation (ownership of /usr/local)

Is a similar precaution necessary on the Apple Silicon version of homebrew, given that it now installs by default to /opt/homebrew/? If so, how would I go about setting that up?

tdismal
  • 11

1 Answers1

2

The risk mentioned in your first link doesn't depend on the directory Homebrew is installed in, it comes from the fact that a user-writeable directory exists early within PATH which allows an attacker to "shadow" a command like sudo. So the situation hasn't changed in regard to this.

PS: IMHO, the additional risk was and is rather small. The user installing Homebrew (which is then also the user having write access to /opt/homebrew) needs to be Administrator anyway. And as Administrator you can install a shadowing command in /usr/local/bin even without Homebrew.

nohillside
  • 100,768
  • But they only need to be an administrator during initial install of Homebrew. Afterwards, their login has rwx on that directory and subdirectories. – Marc Wilson Apr 07 '22 at 20:53
  • @MarcWilson Not sure I understand. Yes, the admin user has rwx on these directories, but you still need to be logged in as that user to install anything there. – nohillside Apr 07 '22 at 21:08
  • They had to be an admin at install time. They do not have to be an admin later. But they still have rwx on the directories. Homebrew is just bad design, assuming that the Mac is a single-user machine. – Marc Wilson Apr 07 '22 at 21:13
  • @MarcWilson How can a non-admin user write to a rwxr-x-r-x directory owned by an admin user? Maybe a specific example with usernames would help? – nohillside Apr 07 '22 at 21:18
  • We're talking past each other. If the login is an admin when the software is installed, and is not an admin later, they are still the owners of the directory and have rwx on it. Where I work no Mac user is an admin on their machines. – Marc Wilson Apr 07 '22 at 21:33
  • @MarcWilson Who is „they“? Homebrew installs into a directory owned by an admin user, non-admin users don‘t have write access there. If a user gets promoted to Admin to install Homebrew and demoted again afterwards, then yes, there is an issue. But this is bad practice to start with (and not directly related to Homebrew because I can misuse the temporary admin rights directly). – nohillside Apr 07 '22 at 21:36