The implications are simply what you assume they’re, and that’s why no person who cares about safety ought to use Homebrew for something critical, or in any respect.
Putting in Homebrew as really helpful signifies that from then on, any
course of or software you launch can write something it desires into the
first listing that will get looked for command line binaries, change
its mode to execute and provides it the identical identify as a system binary. It
will then run as an alternative of the system binary everytime you kind the
program with the identical identify within the command line (except you kind the
full path to it). The potential for exploitation is huge. Few individuals
if any ever kind the complete path to workaday binaries like ls, discover,
cat, sudo and plenty of others. And as proven in my instance, any of those
could possibly be hijacked to carry out completely different operations due to the way in which
Homebrew is put in. This may be performed and cleaned up in such a method
that you just’d by no means understand it had occurred.
how Homebrew invitations customers to get pwned (applehelpwriter.com)
Homebrew makes a number of questionable design choices, however certainly one of these
deserves its personal part: the selection to explicitly eschew root (in
reality, it is going to refuse to work in any respect if run this fashion). This
essentially is a really unhealthy thought: bundle managers that set up
software program for all customers of your pc, as Homebrew does by default,
ought to all the time require elevated privileges to operate accurately. This
choice has vital penalties for each safety and value,
particularly with the arrival of System Integrity Safety in OS X El
Capitan.
Ideas on macOS Bundle Managers (saagarjha.com)
