Crowdstrike (security scanner) freaks out when the package installer runs

[chrisridd (Chris Ridd)]

Our IT folks use some software called Crowdstrike to protect our Macs.

I don't know if the package installer script has changed recently, or if Crowdstrike's become more sensitive, but installing the MacPorts-2.8.1-13-Ventura.pkg just now caused Crowdstrike to freak out and kill the script.

Maybe there's another way to do what the installer's doing without upsetting Crowdstrike? Or maybe MacPorts can ask Crowdstrike to whitelist this particular script?

Here is a screenshot of the Crowdstrike error:

The script it is complaining about is this:

/bin/sh -c if test -n "/usr/bin/dscl" -a -n "/usr/sbin/dseditgroup" ; then if ! /usr/bin/dscl -q . -read "/Groups/macports" > /dev/null 2>&1 ; then if test `id -u` -eq 0; then echo "Creating group \"macports\"" ; /usr/sbin/dseditgroup -q -o create "macports" ; else echo "Not creating group \"macports\" (not root)" ; fi ; fi ; if ! /usr/bin/dscl -q . -list "/Users/macports" > /dev/null 2>&1 ; then if test `id -u` -eq 0; then echo "Creating user \"macports\"" ; NEXTUID=501; while test -n "`/usr/bin/dscl -q /Search -search /Users UniqueID $NEXTUID`"; do let "NEXTUID=NEXTUID+1"; done; /usr/bin/dscl -q . -create "/Users/macports" UniqueID $NEXTUID ; /usr/bin/dscl -q . -delete "/Users/macports" AuthenticationAuthority ; /usr/bin/dscl -q . -delete "/Users/macports" PasswordPolicyOptions ; /usr/bin/dscl -q . -delete "/Users/macports" dsAttrTypeNative:KerberosKeys ; /usr/bin/dscl -q . -delete "/Users/macports" dsAttrTypeNative:ShadowHashData ; /usr/bin/dscl -q . -create "/Users/macports" RealName MacPorts ; /usr/bin/dscl -q . -create "/Users/macports" Password \* ; /usr/bin/dscl -q . -create "/Users/macports" PrimaryGroupID $(/usr/bin/dscl -q . -read "/Groups/macports" PrimaryGroupID | /usr/bin/awk '{print $2}') ; /usr/bin/dscl -q . -create "/Users/macports" NFSHomeDirectory "/opt/local/var/macports/home" ; /usr/bin/dscl -q . -create "/Users/macports" UserShell /usr/bin/false ; else echo "Not creating user \"macports\" (not root)" ; fi ; fi ; if test "$(/usr/bin/dscl -q . -read "/Users/macports" NFSHomeDirectory)" = "NFSHomeDirectory: /var/empty" ; then if test `id -u` -eq 0; then echo "Updating home directory location for user \"macports\"" ; /usr/bin/dscl -q . -create "/Users/macports" NFSHomeDirectory "/opt/local/var/macports/home" ; else echo "Not updating home directory location for user \"macports\" (not root)" ; fi ; fi ; if test "22" -eq 8 -a `id -u` -eq 0; then GID=`/usr/bin/dscl -q . -read "/Groups/macports" PrimaryGroupID | /usr/bin/awk '{print $2}'` ; if test "`/usr/bin/dscl -q . -read "/Users/macports" PrimaryGroupID 2>/dev/null | /usr/bin/awk '{print $2}'`" != "$GID"; then echo "Fixing PrimaryGroupID for user \"macports\"" ; /usr/bin/dscl -q . -create "/Users/macports" PrimaryGroupID $GID ; /usr/bin/dscl -q . -create "/Users/macports" RealName MacPorts ; fi ; fi ; else echo "Can't find /usr/bin/dscl / /usr/sbin/dseditgroup, not creating user \"macports\"" ; fi

[chrisridd (Chris Ridd)]

Screenshot of the Crowdstrike alert

[ryandesign (Ryan Carsten Schmidt)]

I'm not familiar with Crowdstrike. If it is preventing you from using MacPorts, you should report that to its developers and/or to your IT department.

The code it's complaining about is here:

​https://github.com/macports/macports-base/blame/ede4db4522aebd05ff6222328fef86f1f9a51c1f/Makefile.in#L41-L92

As you can see, it hasn't really changed in at least nine years.

If what this code does can be done a different way that does not upset Crowdstrike, let us know here or by filing a pull request.

[jmroot (Joshua Root)]

Another user reported a Crowdstrike complaint; not clear if it's for similar reasons as this one: #69187

BTW, the code Ryan linked to is what runs for source installs (including selfupdate). The equivalent code that runs in the .pkg installer is here: ​https://github.com/macports/macports-base/blob/v2.9.0/portmgr/dmg/postflight.in#L171