Run brew commands as regular user

include/functions

@@ -91,6 +91,7 @@
 #    ReportManual               Log manual actions to report file
 #    ReportSuggestion           Add a suggestion to report file
 #    ReportWarning              Add a warning and priority to report file
+#    RunCmdAsUser               Run commands as a normal user instead of root
 #    SafeFile                   Security tests to perform on a file before using it
 #    SafePerms                  Check if a file has safe permissions
 #    SafeInput                  Test provided string to see if it contains unwanted characters
@@ -3036,6 +3037,44 @@
     }
 
 
+    ################################################################################
+    # Name        : RunCmdAsUser()
+    # Description : Run commands as a normal user instead of root
+    #
+    # Parameters  : $@ = command arguments
+    # Returns     : None (executes the command as the appropriate user)
+	# Notes       : This allows dropping permissions for specific commands when
+	#               lynis is invoked as root, preventing privilege escalation
+	#               risks (CWE-250, CWE-271).
+	#
+	#               By isolating privileged code and dropping said privileges as
+	#               soon as possible, we can execute tools with their proper
+	#               permissions, such as in the case of Homebrew.
+	#
+	#               When available, we use `sudo` and `su`. For a strictly
+	#               POSIX-compliant environment, a C implementation could be
+	#               made using `setgid()` and `setuid()`.
+    ################################################################################
+    ################################################################################
+
+    RunCmdAsUser() {
+        case "$(id -u)" in
+            0)
+                if command -v sudo >/dev/null
+                then
+                    sudo -u "$SUDO_USER" "$@"
+                elif command -v su >/dev/null
+                then
+                    su "$(id -un)" -c "$@"
+                else
+                    "$@"
+                fi
+                ;;
+            *) "$@"
+        esac
+    }
+
+
     ################################################################################
     # Name        : SafeInput()
     # Description : Test provided string to see if it contains unwanted characters

include/tests_ports_packages

@@ -127,7 +127,7 @@
         LogText "Test: Querying brew to get package list"
         Display --indent 4 --text "- Querying brew for installed packages"
         LogText "Output:"; LogText "-----"
-        GPACKAGES=$(brew list --versions)
+        GPACKAGES=$(RunCmdAsUser brew list --versions)
         while IFS= read -r PKG; do
             PACKAGE_NAME=$(echo ${PKG} | ${CUTBINARY} -d ' ' -f1)
             PACKAGE_VERSION=$(echo ${PKG} | ${CUTBINARY} -d ' ' -f2)
@@ -183,7 +183,7 @@ EOF
             PACKAGE_VERSION=$(defaults read "$CS/Contents/Info" CFBundleShortVersionString 2>/dev/null || echo "N/A")
             LogText "Found CoreServices: ${PACKAGE_NAME} (version: ${PACKAGE_VERSION})"
             INSTALLED_PACKAGES="${INSTALLED_PACKAGES}|${PACKAGE_NAME},${PACKAGE_VERSION}"
-        done   
+        done
     fi
 #
 #################################################################################