![]() ![]() And the resulting environment on your system in /opt is - as a result - better protected.You can enable write support for ntfs in Mavericks. Given that you download Ports from a common repo with reasonably strict access control, the risk is minimal, I think. The MacPorts system installs software using su privileges, so you have to trust the fact that the "Port" has not been tampered with using patches or alternate source downloads (MacPorts compiles software, no binaries are downloaded, which I think is an advantage as well). I started out with homebrew (as it is mentioned everywhere) but as homebrew does not have (probably is pretty much incapable in a reasonable way) postfix, I started looking into MacPorts and got convinced MacPorts is better (for me). So, on my macOS Server, where I am running postfix, dovecot, nginx, minio, etc. ![]() The price to pay is that you have to do all the LCM and patching (by updating ports). MacPorts having its own library tree and being fully independent from macOS itself is also important for me, I don't want a macOS update kill my MacPorts additions (as these are services multiple users will depend on them). The fact that homebrew opens up /usr/local has been one of the reasons for me to move to MacPorts (the other was that MacPorts is better when the target is system-level additions, which may include all kinds of things that require su privileges to install properly so they are installed safely). If an attacker / malware / etc has already gotten inside your account, then they have all your data, it's only a matter of time until they keylog you typing your sudo password, so do you really care whether they install further malware in /usr/local/bin or put it in /home/myuser and add that to your path? The end result is the same. Single-user personal computerįor all intents and purposes, there is only one user on your laptop. So I would agree with you that this is a problem on a multi-user server. Therefore I could put a malacious program called ls in /usr/local/bin and the next time someone tries to navigate the filesystem, my code will run inside their user account. So assuming that other users have the same bash config as me, then it looks in /usr/local/bin first. usr/local/bin:/usr/bin:/home/mike/bin:/usr/local/sbin:/usr/sbin I don't have access to a Mac, but I assume my linux box is similar enough /usr/local/bin is empty (nothing to replace) but $ echo $PATH On a multi-user system like a server where there are other users logged in, this would be a big problem. How big of a problem is this? Multi-user system What are the risks?Īs you point out, your user (or anyone in the admin group, or any virus that manages to run as you) can now install software, including over-writing default system stuff. ![]() Homebrew changes the permissions of /usr/local/bin from the default drwxr-xr-x root wheel to the less secure drwxrwxr-x myuser admin. If I am understanding your question correctly, it boils down to: Looks to me as if /usr/local/bin is wide open and the binaries there can in effect take the place of any Apple programs. I realize that installing hacked stuff is going to end badly regardless, so, assuming brew/port are OK and the installed package isn't corrupted either, what about the implications of either approach when it comes to other malware trying to alter your system? Is there a real difference between those 2 approaches? What happens if either port or brew itself has been hacked? What if the package you're installing has been hacked? I believe, from, that /usr/local/bin, before homebrew, starts out as root-writeable only: drwxr-xr-x 26 root wheel - 884 Oct 17 03:36 bin Trimming out other software, this is my $PATH order: /opt/local/bin #macports Cellar/packer/1.2.5/bin/packerĭrwxrwxr-x 41 myuser admin 1394 7 Aug 14:28 bin Lrwxr-xr-x 1 myuser admin 33 7 Aug 14:28 /usr/local/bin/packer ->. Sudo port install tesseract homebrew bin$ which packer rwxr-xr-x 1 root admin 28120 /opt/local/bin/tesseractĭrwxr-xr-x 719 root admin 24446 6 Aug 19:55 bin Binaries are useable from /opt/local/bin/, i.e. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |