Opened 22 months ago
Last modified 10 months ago
#66878 new defect
Crowdstrike (security scanner) freaks out when the package installer runs
Reported by: | chrisridd (Chris Ridd) | Owned by: | |
---|---|---|---|
Priority: | Normal | Milestone: | |
Component: | base | Version: | 2.8.1 |
Keywords: | Cc: | ||
Port: |
Description (last modified by chrisridd (Chris Ridd))
Our IT folks use some software called Crowdstrike to protect our Macs.
I don't know if the package installer script has changed recently, or if Crowdstrike's become more sensitive, but installing the MacPorts-2.8.1-13-Ventura.pkg just now caused Crowdstrike to freak out and kill the script.
Maybe there's another way to do what the installer's doing without upsetting Crowdstrike? Or maybe MacPorts can ask Crowdstrike to whitelist this particular script?
Here is a screenshot of the Crowdstrike error:
The script it is complaining about is this:
/bin/sh -c if test -n "/usr/bin/dscl" -a -n "/usr/sbin/dseditgroup" ; then if ! /usr/bin/dscl -q . -read "/Groups/macports" > /dev/null 2>&1 ; then if test `id -u` -eq 0; then echo "Creating group \"macports\"" ; /usr/sbin/dseditgroup -q -o create "macports" ; else echo "Not creating group \"macports\" (not root)" ; fi ; fi ; if ! /usr/bin/dscl -q . -list "/Users/macports" > /dev/null 2>&1 ; then if test `id -u` -eq 0; then echo "Creating user \"macports\"" ; NEXTUID=501; while test -n "`/usr/bin/dscl -q /Search -search /Users UniqueID $NEXTUID`"; do let "NEXTUID=NEXTUID+1"; done; /usr/bin/dscl -q . -create "/Users/macports" UniqueID $NEXTUID ; /usr/bin/dscl -q . -delete "/Users/macports" AuthenticationAuthority ; /usr/bin/dscl -q . -delete "/Users/macports" PasswordPolicyOptions ; /usr/bin/dscl -q . -delete "/Users/macports" dsAttrTypeNative:KerberosKeys ; /usr/bin/dscl -q . -delete "/Users/macports" dsAttrTypeNative:ShadowHashData ; /usr/bin/dscl -q . -create "/Users/macports" RealName MacPorts ; /usr/bin/dscl -q . -create "/Users/macports" Password \* ; /usr/bin/dscl -q . -create "/Users/macports" PrimaryGroupID $(/usr/bin/dscl -q . -read "/Groups/macports" PrimaryGroupID | /usr/bin/awk '{print $2}') ; /usr/bin/dscl -q . -create "/Users/macports" NFSHomeDirectory "/opt/local/var/macports/home" ; /usr/bin/dscl -q . -create "/Users/macports" UserShell /usr/bin/false ; else echo "Not creating user \"macports\" (not root)" ; fi ; fi ; if test "$(/usr/bin/dscl -q . -read "/Users/macports" NFSHomeDirectory)" = "NFSHomeDirectory: /var/empty" ; then if test `id -u` -eq 0; then echo "Updating home directory location for user \"macports\"" ; /usr/bin/dscl -q . -create "/Users/macports" NFSHomeDirectory "/opt/local/var/macports/home" ; else echo "Not updating home directory location for user \"macports\" (not root)" ; fi ; fi ; if test "22" -eq 8 -a `id -u` -eq 0; then GID=`/usr/bin/dscl -q . -read "/Groups/macports" PrimaryGroupID | /usr/bin/awk '{print $2}'` ; if test "`/usr/bin/dscl -q . -read "/Users/macports" PrimaryGroupID 2>/dev/null | /usr/bin/awk '{print $2}'`" != "$GID"; then echo "Fixing PrimaryGroupID for user \"macports\"" ; /usr/bin/dscl -q . -create "/Users/macports" PrimaryGroupID $GID ; /usr/bin/dscl -q . -create "/Users/macports" RealName MacPorts ; fi ; fi ; else echo "Can't find /usr/bin/dscl / /usr/sbin/dseditgroup, not creating user \"macports\"" ; fi
Attachments (1)
Change History (4)
Changed 22 months ago by chrisridd (Chris Ridd)
Attachment: | crowdstrike.png added |
---|
comment:1 Changed 22 months ago by chrisridd (Chris Ridd)
Description: | modified (diff) |
---|
comment:2 Changed 21 months ago by ryandesign (Ryan Carsten Schmidt)
I'm not familiar with Crowdstrike. If it is preventing you from using MacPorts, you should report that to its developers and/or to your IT department.
The code it's complaining about is here:
As you can see, it hasn't really changed in at least nine years.
If what this code does can be done a different way that does not upset Crowdstrike, let us know here or by filing a pull request.
comment:3 Changed 10 months ago by jmroot (Joshua Root)
Another user reported a Crowdstrike complaint; not clear if it's for similar reasons as this one: #69187
BTW, the code Ryan linked to is what runs for source installs (including selfupdate). The equivalent code that runs in the .pkg installer is here: https://github.com/macports/macports-base/blob/v2.9.0/portmgr/dmg/postflight.in#L171
Screenshot of the Crowdstrike alert