Re: Mac OS X vulnerabilities

From: gabriel rosenkoetter (gr_at_eclipsed.net)
Date: 10/30/03

  • Next message: Luigi Auriemma: "Serious Sam is not so serious" 
    Date: Thu, 30 Oct 2003 15:15:01 -0500
To: bugtraq@securityfocus.com

    On Wed, Oct 29, 2003 at 07:58:54PM -0500, James Kelly wrote:
    > problem is easily fixed by adding this command to a root cron job.
    >
    > diskutil repairpermissions /
    >
    > Above command can be run every day for your paranoia protection ;-)

    Actually, my paranoia protection says that that would be a REALLY
    BAD IDEA.

    I'm going to hazard a guess based on other posts here and figure
    that that does either a straight shell call or at least the equivalent
    of a find / -perm <something> -exec chmod <somethingelse> {} \;

    This is a very small step away from a find <somewhere> [stuff] -exec
    rm -rf, and it's a bad idea for all the same reasons that that is.

    Automated cleanups (whether actually cleaning up files or just
    cleaning up metadata) nearly always end up being race conditions and
    should always be avoided. Scheduling ANYTHING as a superuser should
    be treated with the utmost paranoia.

    This is NOT a solution to the specific problem. Please, folks,
    unless you wrote diskutil and know exactly what it's doing and how,
    don't go out and do this on your systems.

    More importantly, it's not a solution to the real problem here,
    which has nothing to do with the specific permissions brokenness
    on Mac OS X and everything to do with an inappropriate vendor
    response.

    Just like they did when they first started offering software updates
    online but negelected to include one-way function results and
    cryptographic signatures, Apple needs to admit they were wrong and
    do something about it. I certainly hope that they do. Quickly. 

    -- 
gabriel rosenkoetter
gr@eclipsed.net

  • Next message: Luigi Auriemma: "Serious Sam is not so serious"