Re: [homebrew] root-only admin setups
- From:
- Vlad Didenko
- Date:
- 2011-12-04 @ 17:14
I am not sure I follow. Can you clarify? So, for example. I have user root
and non-admin user vlad. Root installs homebrew as root and we end up
with:
-rwx------ 1 admin 4.3K Nov 13 19:46 /usr/local/bin/brew
Imagine, that we end up with 755 permissions:
-rwxr-xr-x 1 admin 4.3K Nov 13 19:46 /usr/local/bin/brew
Then root runs "brew install foo", and we, for the sake of scenario, end up with:
-rwxr-xr-x 1 admin 4.3K Nov 13 19:46 /usr/local/bin/foo
If "foo" is run by root, the it will have root-level access to the system.
If vlad runs "foo", then it will have vlad's access to the system, which
is non-admin.
That is true, if set-user-ID-on-execution or set-group-ID-on-execution
bits are not set, i.e. "foo" does not have s or S in it's permissions and
no special ACLs defined.
So, if after install brew makes sure there are no set-*-ID-on-execution
permission bits and no ACLs, then installing as higher-privilege user
should not be a problem. And I would think it is a reasonable expectation
in 99.(9)% of homebrew use cases [to drop s-bits and ACLs].
On the contrary, running "foo" by vlad, when installed by vlad increases
security risk, as malware has all necessary filesystem permissions to
modify program "foo", if malware accidentally run by vlad. That way
malware would be executed every time anyone runs foo without extra
executables on the system.
On Dec 3, 2011, at 11:50 PM, Charlie Sharpsteen wrote:
> On Sat, Dec 3, 2011 at 7:47 PM, Vlad Didenko <mr.didenko@gmail.com> wrote:
>
>> Colleagues,
>>
>> I have macs where no users (none of the two) but root have admin
>> privileges. The setup seems to work fine with all applications but
>> homebrew. I can not run brew from root, I can not run in via sudo. How
>> would I use homebrew in this setup?
>>
>> Regards,
>> Vlad
>>
>
> Note that Homebrew does not drop permissions before running installation
> scripts. Because of this, I would never recommend running `brew install`
> with root permissions as the scripts invoked will have permission to do
> whatever they please to your system.
>
>
> -Charlie
Re: [homebrew] root-only admin setups
- From:
- Charlie Sharpsteen
- Date:
- 2011-12-04 @ 18:04
On Sun, Dec 4, 2011 at 9:14 AM, Vlad Didenko <mr.didenko@gmail.com> wrote:
> I am not sure I follow. Can you clarify?
>
Sure. Here's the important part:
Then root runs "brew install foo",
If root runs `brew install foo`, then all the arbitrary code in foo's `def
install` block, `configure` script, and `make` step gets run with root
permissions. These pieces of code are not audited and may contain bugs that
would cause them to alter files in undesirable ways. Typically a package
manager, such as MacPorts, will drop root permissions for every step except
for `make install` so that any code that is involved in configuring and
compiling the software cannot alter the root system due to lack of
permissions.
Homebrew does not drop permissions since it is not designed to be run by
the root user. The chances of something bad happening are small, but I
still wouldn't recommend installing Homebrew as root to someone who is
worried about security because you will end up running a ton of unaudited
code with root permissions during the configuration and compilation steps.
A better setup would be to have a non-root admin user named brew who owns
HOMEBREW_PREFIX and can install software. Other users can run the software
installed by the brew user, but cannot modify the software or use the
`brew` command to install new software due to lack of permissions.
-Charlie
Re: [homebrew] root-only admin setups
- From:
- Vlad Didenko
- Date:
- 2011-12-04 @ 19:08
OK, I like that setup much better, thank you!
So, from what I understand, an impact of malicious software contained
within the "brew" user account at the install time. Similarly, an impact
is contained within the end-user account at the application run time (that
is as usual).
On Dec 4, 2011, at 12:04 PM, Charlie Sharpsteen wrote:
> On Sun, Dec 4, 2011 at 9:14 AM, Vlad Didenko <mr.didenko@gmail.com> wrote:
>
> … Snip …
>
> A better setup would be to have a non-root admin user named brew who owns
> HOMEBREW_PREFIX and can install software. Other users can run the software
> installed by the brew user, but cannot modify the software or use the
> `brew` command to install new software due to lack of permissions.
>
> -Charlie