I was reading a Stack Exchange answer here about a connected topic, and part of the accepted answer said this:
never place user-writeable
PATH
elements ahead of those that can only be modified byroot
Is this true? Is it dangerous to have /usr/local/bin
ahead of /usr/bin
in your PATH
, due to /usr/local/bin
being user-writeable?
The reason I ask is because my own PATH
has /usr/local/bin
ahead of /usr/bin
; the reason being that I followed the advice of Homebrew (a third-party package manager for MacOS). They even give you a command (on this page) to make this change for all users. The purpose of this is that Homebrew installs its binaries to /usr/local/bin
, so by putting it ahead of /usr/bin
in the PATH
, it allows you (and other applications) to access newer versions of binaries that you've installed through Homebrew into /usr/local/bin
, instead of the (often outdated) default versions in /usr/bin
included with MacOS.
The specific danger alleged by the guy I originally linked to is this:
[P]utting
/usr/local/bin
ahead of/usr/bin
in thePATH
… would be a security hole since Homebrew gives ownership of that directory to your user. That permission change from the macOS default means that even an extremely unsophisticated malware could use this hole to get root privileges. All they'd have to do is add some other common command here likels
, then pass the commands through to/bin/ls
until they see you've run it throughsudo
, then they take over.
I tried finding out the default PATH
for MacOS. I think I changed mine with the command provided by Homebrew (follow link above to see it). So my new "default" PATH
in MacOS has /usr/local/bin
ahead of /usr/bin
. But from searching, I think the stock PATH
provided by Apple does actually have /usr/bin
ahead of /usr/local/bin
; the accepted answer here and the third answer here (the one by Mike Taber) seem to suggest this. From their answers, it looks like the default MacOS PATH
is something like /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/X11/bin
, which I think would be impervious to the attack described above, right?
I think I understand the theory of the attack. But if it's right, then why is Homebrew recommending doing something which is apparently dangerous?
(EDIT: I just edited the order of these paragraphs because it wasn't in a logical order before)
TL;DR
Is it dangerous to have user-writeable directories like /usr/local/bin
ahead of /usr/bin
in your PATH
, and if so, why does Homebrew (third-party package manager for MacOS) recommend it?
Best Answer
The obvious danger
If this combination exists
/usr/local/bin
before/usr/bin
/usr/local/bin
writable by non-root userThen the non-root user can effectively insert commonly-named binaries (
ls
was mentioned in the comments already) into that area and thus cause other users to unknowingly execute his/her program. Note that the difference of order only changes the behaviour for programs the other user knows and invokes.It is also a security risk if any non-root user can write to any directory that is in the
$PATH
of other users because said non-root user could add binary names with misspelled or misleading names and still hope that sometime the other users call it.On a single-user machine there is little difference, because the user is always free to configure the path as wanted.
The less-obvious danger
The reason for having
/usr/bin
before/usr/local/bin
by default is that/usr/bin
are files supplied by the system (considered trustworthy and stable) and/usr/local/bin
are applications added by the local system administrator (have possibly had less testing, might get outdated due to not being kept up-to-date as part of the operating system).Why does a third-party package manager recommend the settings
My understanding is, that sometimes one might want to install packages through the package manager which already exist on the system with the intention of e.g. getting a newer version. Consider installing a new version of
vi
. If/usr/bin
comes before/usr/local/bin
, callingvi
in the terminal would still start "the old version" effectively looking as if no new version were installed. With the order/usr/local/bin
before/usr/bin
the programs from the third-party package manager take precedence.