0

I want to install homebrew in the safest possible way (single user system). It is often criticized that homebrew takes precedence over /usr/bin and /bin (in /etc/path) and therefore any malware can simply put binaries or libraries there. For example, software that I install with Homebrew could deliver an infected binary file called "sudo". How can you prevent this and still install binary files that are already provided by MacOS (e.g. git or ruby)?

hidisem627
  • 1
  • 1
    *"It is often criticized that homebrew takes precedence over /usr/bin and /bin..."* - is it? As far as I can see the user has to make modifications themselves in order to prefer homebrew binaries to system binaries. Do you have any sources for your claim? Apart from that I don't understand what you are asking: you want to be able to install arbitrary binaries which also have names like system binaries yet you don't want to make sure that no such binaries are installed? If its about which binary with the same name is called when no absolute path is used then don't add homebrew first to PATH. – Steffen Ullrich Dec 21 '19 at 20:28
  • Homebrew does these modifications when executing the [install script](https://raw.githubusercontent.com/Homebrew/install/master/install). For example, it has been criticized in [this post](https://applehelpwriter.com/2018/03/21/how-homebrew-invites-users-to-get-pwned/). – hidisem627 Dec 21 '19 at 20:55
  • I want to install selected binaries like `git` or `ruby` via homebrew and at the same time protect binaries like `sudo`. Is it even possible to use homebrew safely without major restrictions? – hidisem627 Dec 21 '19 at 21:00
  • 1
    I see what you mean. In this case either remove `/usr/local/bin` from the default path or move it to the end to make sure that no homebrew binaries will take preference to system command. Of course in this case the system git will be called when you just type `git`. You cannot have it both ways, i.e. use the homebrew binary for "safe" commands and use the system binaries for critical commands - there is no definition of what is a safe and what is a critical command. To call a specific version of the binary use the full path, i.e. `/usr/bin/sudo`, `/usr/bin/git`, `/usr/local/bin/git` etc. – Steffen Ullrich Dec 21 '19 at 21:15

0 Answers0