Block installing packages with privileged users


(Itay Mendelawy) #1

In many cases, when installing a package a post-install script will run. This in its core is not an issue. However, if someone installs a package with a privileged user (root, for example) the post install script will run with said permissions.

Not only this is a dangerous behavior, but it may also cause issues later, as files are written with root permissions.

For example, this is Brew’s output when running it as root.

Error: Running Homebrew as root is extremely dangerous and no longer supported.
As Homebrew does not drop privileges on installation you would be giving all
build scripts full access to your system.