I’ve talked before about the various problems with binary package management systems. I have praised BSD’s Ports, where a source code tree allows you to install packages from source with all their dependencies. However, I’ve never seen a binary package manager that creates more of a security problem having it than not having it. That is the case with homebrew security.
I was trying to find knowledge about how the Homebrew team greenlights their packages to ensure that it’s not filled with viruses. And then I found something disturbing. Very disturbing. A while back, Homebrew ditched the use of sudo in a move that many praised. However, as any experienced UNIX people know, poking holes in the system never ends well.
Homebrew made the installation directory for packages, /usr/local/bin (Yes, I know it’s /opt/local/bin on Apple Silicon), writable to the user that installed Homebrew. This doesn’t seem that bad on the surface until you factor the PATH environment variable in.
The best way I can describe this is that the PATH environment variable includes a list of directories that contain binaries. When the user types in a command, the system looks through each directory until it finds one. It will find the first one that is first in the list of directories. The problem is, Apple put /usr/local/bin first in the PATH environment variable. This is how the directories are listed on a Mac without homebrew or anything that alters the PATH variable.
/opt/local/bin <- Homebrew makes this writable by you on Apple Silicon /opt/local/sbin /usr/local/bin <- Homebrew makes this writable by you on Intel Macs /usr/bin /bin /usr/sbin /sbin
What does this mean for you?
Ok, here’s where the vulnerability comes in. Imagine if someone wanted to make a fake sudo command that grabs your password to elevate itself to administrator. In Macs that have Homebrew installed, as the sudo binary is located in /usr/bin, a malicious program can place a script called “sudo” in /usr/local/bin or /opt/local/bin that takes your password and then uses it to allow a virus to gain administrator access. In other words, Homebrew creates an administrator security bypass when it is installed.
What should I do about Homebrew Security?
There is an alternative to Homebrew that, in my opinion, is way better for security. It’s called MacPorts. As Mac is based on BSD, not Linux, Homebrew is a Linux solution to a BSD problem, while MacPorts is a BSD solution to a BSD problem. MacPorts will build packages that you install from source, so everything is tailored to your system configuration. MacPorts also has better support for Apple Silicon.
How do I uninstall Homebrew for better security?
Luckily, Homebrew has made it relatively easy to uninstall. Type in the following command to execute the Homebrew uninstallation script:
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/uninstall.sh)"
Once that is done, there are a few other things you may want to do. If you’re on Apple Silicon, you will still need to remove the /opt/homebrew directory from your system. Type:
sudo rm -rf /opt/homebrew
To prevent you from getting spam when starting your Terminal, use nano or vim to open up .zprofile and remove the line that calls the “brew” command.
How to install MacPorts?
MacPorts has made this relatively easy. MacPorts installs more like a traditional Mac app than Homebrew. You can download the .pkg file from the MacPorts site. However, make sure the Xcode command-line developer tools are installed first:
Navigate to the MacPorts website and download the installer: https://www.macports.org/install.php.
How to Use MacPorts
You may want to know a few commands you can run to use it.
sudo port selfupdate <- Updates MacPorts and the ports tree sudo port install <packagename> <- Installs a package port search <query> <- Searches for ports port list installed <- Lists installed ports sudo port uninstall <package> <- Uninstalls a package sudo port uninstall leaves <- Uninstalls dependencies that are no longer required sudo port upgrade <package> <- Upgrades a specific outdated package sudo port upgrade outdated <- Upgrades all outdated packages
If you’re the type that loves hearing about vulnerabilities and loves talking tech, as probably many Homebrew users do, you may be interested in joining the Info Toast Discord: https://discord.gg/rftS5NA. We have a vulnerability watch where we publish the latest vulnerabilities in many popular programs. You can join the vulnerability watch if you love learning about cybersecurity too… or just enjoy being scared ;).