Opened 21 months ago

Last modified 10 months ago

#66878 new defect

Crowdstrike (security scanner) freaks out when the package installer runs

Reported by: chrisridd (Chris Ridd) Owned by:
Priority: Normal Milestone:
Component: base Version: 2.8.1
Keywords: Cc:
Port:

Description (last modified by chrisridd (Chris Ridd))

Our IT folks use some software called Crowdstrike to protect our Macs.

I don't know if the package installer script has changed recently, or if Crowdstrike's become more sensitive, but installing the MacPorts-2.8.1-13-Ventura.pkg just now caused Crowdstrike to freak out and kill the script.

Maybe there's another way to do what the installer's doing without upsetting Crowdstrike? Or maybe MacPorts can ask Crowdstrike to whitelist this particular script?

Here is a screenshot of the Crowdstrike error:

Screenshot of the Crowdstrike alert

The script it is complaining about is this:

/bin/sh -c if test -n "/usr/bin/dscl" -a -n "/usr/sbin/dseditgroup" ; then if ! /usr/bin/dscl -q . -read "/Groups/macports" > /dev/null 2>&1 ; then if test `id -u` -eq 0; then echo "Creating group \"macports\"" ; /usr/sbin/dseditgroup -q -o create "macports" ; else echo "Not creating group \"macports\" (not root)" ; fi ; fi ; if ! /usr/bin/dscl -q . -list "/Users/macports" > /dev/null 2>&1 ; then if test `id -u` -eq 0; then echo "Creating user \"macports\"" ; NEXTUID=501; while test -n "`/usr/bin/dscl -q /Search -search /Users UniqueID $NEXTUID`"; do let "NEXTUID=NEXTUID+1"; done; /usr/bin/dscl -q . -create "/Users/macports" UniqueID $NEXTUID ; /usr/bin/dscl -q . -delete "/Users/macports" AuthenticationAuthority ; /usr/bin/dscl -q . -delete "/Users/macports" PasswordPolicyOptions ; /usr/bin/dscl -q . -delete "/Users/macports" dsAttrTypeNative:KerberosKeys ; /usr/bin/dscl -q . -delete "/Users/macports" dsAttrTypeNative:ShadowHashData ; /usr/bin/dscl -q . -create "/Users/macports" RealName MacPorts ; /usr/bin/dscl -q . -create "/Users/macports" Password \* ; /usr/bin/dscl -q . -create "/Users/macports" PrimaryGroupID $(/usr/bin/dscl -q . -read "/Groups/macports" PrimaryGroupID | /usr/bin/awk '{print $2}') ; /usr/bin/dscl -q . -create "/Users/macports" NFSHomeDirectory "/opt/local/var/macports/home" ; /usr/bin/dscl -q . -create "/Users/macports" UserShell /usr/bin/false ; else echo "Not creating user \"macports\" (not root)" ; fi ; fi ; if test "$(/usr/bin/dscl -q . -read "/Users/macports" NFSHomeDirectory)" = "NFSHomeDirectory: /var/empty" ; then if test `id -u` -eq 0; then echo "Updating home directory location for user \"macports\"" ; /usr/bin/dscl -q . -create "/Users/macports" NFSHomeDirectory "/opt/local/var/macports/home" ; else echo "Not updating home directory location for user \"macports\" (not root)" ; fi ; fi ; if test "22" -eq 8 -a `id -u` -eq 0; then GID=`/usr/bin/dscl -q . -read "/Groups/macports" PrimaryGroupID | /usr/bin/awk '{print $2}'` ; if test "`/usr/bin/dscl -q . -read "/Users/macports" PrimaryGroupID 2>/dev/null | /usr/bin/awk '{print $2}'`" != "$GID"; then echo "Fixing PrimaryGroupID for user \"macports\"" ; /usr/bin/dscl -q . -create "/Users/macports" PrimaryGroupID $GID ; /usr/bin/dscl -q . -create "/Users/macports" RealName MacPorts ; fi ; fi ; else echo "Can't find /usr/bin/dscl / /usr/sbin/dseditgroup, not creating user \"macports\"" ; fi

Attachments (1)

crowdstrike.png (28.4 KB) - added by chrisridd (Chris Ridd) 21 months ago.
Screenshot of the Crowdstrike alert

Download all attachments as: .zip

Change History (4)

Changed 21 months ago by chrisridd (Chris Ridd)

Attachment: crowdstrike.png added

Screenshot of the Crowdstrike alert

comment:1 Changed 21 months ago by chrisridd (Chris Ridd)

Description: modified (diff)

comment:2 Changed 21 months ago by ryandesign (Ryan Carsten Schmidt)

I'm not familiar with Crowdstrike. If it is preventing you from using MacPorts, you should report that to its developers and/or to your IT department.

The code it's complaining about is here:

https://github.com/macports/macports-base/blame/ede4db4522aebd05ff6222328fef86f1f9a51c1f/Makefile.in#L41-L92

As you can see, it hasn't really changed in at least nine years.

If what this code does can be done a different way that does not upset Crowdstrike, let us know here or by filing a pull request.

comment:3 Changed 10 months ago by jmroot (Joshua Root)

Another user reported a Crowdstrike complaint; not clear if it's for similar reasons as this one: #69187

BTW, the code Ryan linked to is what runs for source installs (including selfupdate). The equivalent code that runs in the .pkg installer is here: https://github.com/macports/macports-base/blob/v2.9.0/portmgr/dmg/postflight.in#L171

Note: See TracTickets for help on using tickets.