3

I was reading a Stack Exchange answer here about a connected topic, and part of the accepted answer said this:

never place user-writeable PATH elements ahead of those that can only be modified by root

Is this true? Is it dangerous to have /usr/local/bin ahead of /usr/bin in your PATH, due to /usr/local/bin being user-writeable?

The reason I ask is because my own PATH has /usr/local/bin ahead of /usr/bin; the reason being that I followed the advice of Homebrew (a third-party package manager for MacOS). They even give you a command (on this page) to make this change for all users. The purpose of this is that Homebrew installs its binaries to /usr/local/bin, so by putting it ahead of /usr/bin in the PATH, it allows you (and other applications) to access newer versions of binaries that you've installed through Homebrew into /usr/local/bin, instead of the (often outdated) default versions in /usr/bin included with MacOS.

The specific danger alleged by the guy I originally linked to is this:

[P]utting /usr/local/bin ahead of /usr/bin in the PATH... would be a security hole since Homebrew gives ownership of that directory to your user. That permission change from the macOS default means that even an extremely unsophisticated malware could use this hole to get root privileges. All they'd have to do is add some other common command here like ls, then pass the commands through to /bin/ls until they see you've run it through sudo, then they take over.

I tried finding out the default PATH for MacOS. I think I changed mine with the command provided by Homebrew (follow link above to see it). So my new "default" PATH in MacOS has /usr/local/bin ahead of /usr/bin. But from searching, I think the stock PATH provided by Apple does actually have /usr/bin ahead of /usr/local/bin; the accepted answer here and the third answer here (the one by Mike Taber) seem to suggest this. From their answers, it looks like the default MacOS PATH is something like /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/X11/bin, which I think would be impervious to the attack described above, right?

I think I understand the theory of the attack. But if it's right, then why is Homebrew recommending doing something which is apparently dangerous?

(EDIT: I just edited the order of these paragraphs because it wasn't in a logical order before)

TL;DR

Is it dangerous to have user-writeable directories like /usr/local/bin ahead of /usr/bin in your PATH, and if so, why does Homebrew (third-party package manager for MacOS) recommend it?

Improve this question
2
  • Ubuntu has the same default order, and I disagree with changing the order, but I do keep tight control over what programs I load. The reason I prefer the default order is that I can load an updated version of one of the standard utilities which offers extended facilities, though I normally use my private $HOME/bin directory for this. I am willing to live with the security risk of replacing one of the standard utilities, since /usr/local/bin is read-only to non-root users.
    – AFH
    Commented Oct 28, 2019 at 17:10
  • 1
    Homebrew recommends it because quite a few MacOS-supplied binaries are quite old, and the Homebrew variants are much more current. So if you want up-to-date variants, you have to prefer those in /usr/local/bin over those in /usr/bin, anyway. It's only "dangerous" if you don't trust the Homebrew binaries.
    – dirkt
    Commented Oct 29, 2019 at 11:06

1 Answer 1

Reset to default
4

The obvious danger

If this combination exists

  • /usr/local/bin before /usr/bin
  • /usr/local/bin writable by non-root user
  • machine used by more than one user

Then the non-root user can effectively insert commonly-named binaries (ls was mentioned in the comments already) into that area and thus cause other users to unknowingly execute his/her program. Note that the difference of order only changes the behaviour for programs the other user knows and invokes.

It is also a security risk if any non-root user can write to any directory that is in the $PATH of other users because said non-root user could add binary names with misspelled or misleading names and still hope that sometime the other users call it.

On a single-user machine there is little difference, because the user is always free to configure the path as wanted.

The less-obvious danger

The reason for having /usr/bin before /usr/local/bin by default is that /usr/bin are files supplied by the system (considered trustworthy and stable) and /usr/local/bin are applications added by the local system administrator (have possibly had less testing, might get outdated due to not being kept up-to-date as part of the operating system).

Why does a third-party package manager recommend the settings

My understanding is, that sometimes one might want to install packages through the package manager which already exist on the system with the intention of e.g. getting a newer version. Consider installing a new version of vi. If /usr/bin comes before /usr/local/bin, calling vi in the terminal would still start "the old version" effectively looking as if no new version were installed. With the order /usr/local/bin before /usr/bin the programs from the third-party package manager take precedence.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .