homebrew posts

xz backdoor

Reading this weekend about a backdoor introduced to the open source xz project. It doesn’t appear to affect my Ubuntu servers, so I had assumed it wasn’t relevant to me. However, the homebrew version on my Mac was “vulnerable”. It sounds like the exploit would only work on some versions of Linux, but if it does work on Macs, that could be bad. I do a lot of stuff on this computer, including banking, email, coding, etc. They know about it backdooring ssh, but if there’s something they don’t yet know about, it might be a problem.

I have a Fedora install as well. I haven’t checked it yet, but Fedora is usually on the bleeding edge, so if it’s on there, I’ll probably wipe and reinstall. I’ve been considering anyway. Luckily, I don’t do anything important on there.

Even if it didn’t actually do anything bad on the Mac, it may have done something. I had noticed some weeks or months ago (I can’t remember when) that running PHP on the command line was going slow. Running anything would take a minimum of about five seconds, including something simple like php -r 'echo "hello\n";'. I know when I had been making scripts in the past they hadn’t been taking long at all. I did some searches on the web for anybody mentioning something like that and couldn’t find anything. So I kinda just figured maybe it had something to do with the new opcode / whatever cacheing newer versions do or something, like it takes some initial setup that the server can reuse but not the command line. I assumed I was stuck with it and even started moving some scripts to bash partly because of it. When I downgraded xz via homebrew though, I decided to test it. time says the simple php -r line took 0.092 seconds. Nice and snappy. So maybe xz was doing some checks to see if the device was exploitable. It was in the dependency graph of PHP through curl and gd. Can’t say for sure that it just sped up though and if the xz change was what caused it.

I’m glad my scripts finally run quickly again, but hope that nothing was exploited here. I’ll keep an eye on the web to see if anything comes up about Macs being exploitable, and if so I’ll probably reinstall the OS to be safe.

Note: If you have used homewbrew to install PHP, curl, or anything else that might depend on xz, run brew update; brew upgrade to be safe. The dangers of being on the bleeding edge I guess.


Homebrew `composer` 2.6.x failing

For some reason, the Homebrew version of composer hasn’t been working recently, either 2.6.1 or 2.6.2. So I’ve manually grabbed the phar from getcomposer.org and replaced the file it was getting. I’m running the latest MacOS and up to date Homebrew, PHP, and Composer on an Intel Macbook Air. When I would run composer, I would get an exception

Continue reading post "Homebrew `composer` 2.6.x failing"

Unprivileged Homebrew install, 2021 edition

On my new MacBook, I’ve been isolating responsibilities into separate user accounts. This includes an unprivileged “manager” account for installing most global third-party software, and a few development accounts for different purposes. I use Homebrew to install some dev related software, but my old Homebrew setup didn’t work with this conceptually, nor with the more locked down privileges of newer Mac OS versions. I didn’t want to give Homebrew or its packages admin or root privileges, so I have adapted Homebrew’s untar anywhere method to install a globally available Homebrew using the unprivileged manager account, only requiring a privileged account briefly. I’ve also used untar anywhere for a per-account Homebrew install to allow each dev account to have custom versions of any desired packages, with no privileged account required.

Continue reading post "Unprivileged Homebrew install, 2021 edition"

Homebrew install.sh without root

[Update]The following method no longer seems to work due to changes in the install.sh script as well as locked down permissions in newer OS versions. Because of this and changes to my general setup, I have a new Homebrew setup that uses Homebrew’s untar anywhere method.[/Update]

I installed Homebrew, a Mac package manager, recently on my main computer.

Continue reading post "Homebrew install.sh without root"