Comments on: Office 2008 for the ‘executive’ http://www.brunerd.com/blog/2008/01/21/office-2008-for-the-executive/ things i think of Wed, 09 Jul 2008 12:03:37 +0000 http://wordpress.org/?v=2.1.3 By: Rick http://www.brunerd.com/blog/2008/01/21/office-2008-for-the-executive/#comment-315 Rick Thu, 24 Jan 2008 14:03:48 +0000 http://www.brunerd.com/blog/2008/01/21/office-2008-for-the-executive/#comment-315 There are six octal digits in a file mode, not five. '10' is 'regular file'. You mask the mode with octal 170000 to get the file type. The 4th from the right is indeed as you state for sticky, set UID, and set GID bits. And the rest of course is spot on. And thanks for bringing it to people's attention. Cheers. There are six octal digits in a file mode, not five. ‘10′ is ‘regular file’. You mask the mode with octal 170000 to get the file type. The 4th from the right is indeed as you state for sticky, set UID, and set GID bits. And the rest of course is spot on. And thanks for bringing it to people’s attention. Cheers.

]]> By: Jim Geovedi http://www.brunerd.com/blog/2008/01/21/office-2008-for-the-executive/#comment-340 Jim Geovedi Tue, 29 Jan 2008 20:08:08 +0000 http://www.brunerd.com/blog/2008/01/21/office-2008-for-the-executive/#comment-340 interesting finding... made me tried to solve the problem. Step 1 - fix the ownership $ sudo chown -R root:admin /Applications/Microsoft\ Office\ 2008/ Step 2: fix the executables file permission $ sudo find /Applications/Microsoft\ Office\ 2008/ -type f -exec chmod 664 {} \; $ sudo find /Applications/Microsoft\ Office\ 2008/ -type f | while read foo; do file "${foo}" | while read bar; do echo "${bar}" | awk -F: '/Mach-O/ {printf "chmod 775 "%s"\n",$1}'; done; done | grep -v "for architecture" | sudo sh Hope I didn't miss something.. :-) interesting finding… made me tried to solve the problem.

Step 1 - fix the ownership

$ sudo chown -R root:admin /Applications/Microsoft\ Office\ 2008/

Step 2: fix the executables file permission

$ sudo find /Applications/Microsoft\ Office\ 2008/ -type f -exec chmod 664 {} \;

$ sudo find /Applications/Microsoft\ Office\ 2008/ -type f | while read foo; do file “${foo}” | while read bar; do echo “${bar}” | awk -F: ‘/Mach-O/ {printf “chmod 775 “%s”\n”,$1}’; done; done | grep -v “for architecture” | sudo sh

Hope I didn’t miss something.. :-)

]]> By: brunerd http://www.brunerd.com/blog/2008/01/21/office-2008-for-the-executive/#comment-345 brunerd Thu, 31 Jan 2008 07:29:00 +0000 http://www.brunerd.com/blog/2008/01/21/office-2008-for-the-executive/#comment-345 Well, Microsoft added an extra step on the ownership to remove the sticky and SetUID bits before they change ownership to root: <code>/usr/bin/sudo /bin/chmod -R a-st /Applications/Microsoft\ Office\ 2008 /Library/Automator /Library/Fonts/Microsoft /Library/Application\ Support/Microsoft /usr/bin/sudo /usr/sbin/chown -h -R root:admin /Applications/Microsoft\ Office\ 2008 /Library/Automator /Library/Fonts/Microsoft /Library/Application\ Support/Microsoft</code> Full post at: http://www.officeformac.com/blog/Security-issue-in-Mac-Office-2008-Installer So now for your fixes, Jim, I reworked them a bit, didn't need sudo's to find the files, just to chmod them, also I went with xargs for speed, <a href="http://rixstep.com/2/20080105,00.shtml" rel="nofollow">right Rick</a>? :D (and does speed up the first) Step 1: Knock all files down to rw-rw-r-- <code>find /Applications/Microsoft\ Office\ 2008 -type f -print0 | xargs -n 1045 -0 /usr/bin/sudo chmod 664 find /Library/Application\ Support/Microsoft -type f -print0 | xargs -n 890 -0 /usr/bin/sudo chmod 664 # or just simply take away x for the fonts sudo chmod a-x /Library/Fonts/Microsoft/* #automator contains not Mach-O executables, only Applescripts that only require read access find /Library/Automator -type f -print0 | xargs -n 1045 -0 /usr/bin/sudo chmod a-x</code> Note: -n 1045 is to prevent an error when sudo when it gets too many arguments, apparently xargs heaps them on a bit too much, longer paths means less arguments are able to be fit in Step 2: Now find all files of Mach-O type and bump them back up to rwx-rwx-r-x <code>find /Applications/Microsoft\ Office\ 2008 -type f | while read foo; do file "${foo}" | while read bar; do echo "${bar}" | awk -F: '/Mach-O/ {print $1}' | grep -v "for arch"; done; done | xargs -I '{}' /usr/bin/sudo chmod a+x '{}' find /Library/Application\ Support/Microsoft -type f | while read foo; do file "${foo}" | while read bar; do echo "${bar}" | awk -F: '/Mach-O/ {print $1}' | grep -v "for arch"; done; done | xargs -I '{}' /usr/bin/sudo chmod a+x '{}'</code> The second still takes a while with all the awk and file calls on each file... but what else are you gonna do? The awk filtering works well, though, I like that. Anyhoo, it does get the job done, thanks for the push Jim! Although now that I think of it, why would one really want write access to an executable anyway? Apart from some self modifying code for copy protection ofrserialization, it'd seem that r-x is all you really need to run a program eh? So for the more paranoid: Find all files of Mach-O type and chmod them to r-x-r-x-r-x <code>find /Applications/Microsoft\ Office\ 2008 -type f | while read foo; do file "${foo}" | while read bar; do echo "${bar}" | awk -F: '/Mach-O/ {print $1}' | grep -v "for arch"; done; done | xargs -I '{}' /usr/bin/sudo chmod 555 '{}'</code> Well, Microsoft added an extra step on the ownership to remove the sticky and SetUID bits before they change ownership to root:

/usr/bin/sudo /bin/chmod -R a-st /Applications/Microsoft\ Office\ 2008 /Library/Automator /Library/Fonts/Microsoft /Library/Application\ Support/Microsoft

/usr/bin/sudo /usr/sbin/chown -h -R root:admin /Applications/Microsoft\ Office\ 2008 /Library/Automator /Library/Fonts/Microsoft /Library/Application\ Support/Microsoft

Full post at:
http://www.officeformac.com/blog/Security-issue-in-Mac-Office-2008-Installer

So now for your fixes, Jim, I reworked them a bit, didn’t need sudo’s to find the files, just to chmod them, also I went with xargs for speed, right Rick? :D (and does speed up the first)

Step 1: Knock all files down to rw-rw-r–
find /Applications/Microsoft\ Office\ 2008 -type f -print0 | xargs -n 1045 -0 /usr/bin/sudo chmod 664
find /Library/Application\ Support/Microsoft -type f -print0 | xargs -n 890 -0 /usr/bin/sudo chmod 664
# or just simply take away x for the fonts
sudo chmod a-x /Library/Fonts/Microsoft/*
#automator contains not Mach-O executables, only Applescripts that only require read access
find /Library/Automator -type f -print0 | xargs -n 1045 -0 /usr/bin/sudo chmod a-x

Note: -n 1045 is to prevent an error when sudo when it gets too many arguments, apparently xargs heaps them on a bit too much, longer paths means less arguments are able to be fit in

Step 2: Now find all files of Mach-O type and bump them back up to rwx-rwx-r-x
find /Applications/Microsoft\ Office\ 2008 -type f | while read foo; do file "${foo}" | while read bar; do echo "${bar}" | awk -F: '/Mach-O/ {print $1}' | grep -v "for arch"; done; done | xargs -I '{}' /usr/bin/sudo chmod a+x '{}'
find /Library/Application\ Support/Microsoft -type f | while read foo; do file "${foo}" | while read bar; do echo "${bar}" | awk -F: '/Mach-O/ {print $1}' | grep -v "for arch"; done; done | xargs -I '{}' /usr/bin/sudo chmod a+x '{}'

The second still takes a while with all the awk and file calls on each file… but what else are you gonna do? The awk filtering works well, though, I like that. Anyhoo, it does get the job done, thanks for the push Jim!

Although now that I think of it, why would one really want write access to an executable anyway? Apart from some self modifying code for copy protection ofrserialization, it’d seem that r-x is all you really need to run a program eh? So for the more paranoid:

Find all files of Mach-O type and chmod them to r-x-r-x-r-x
find /Applications/Microsoft\ Office\ 2008 -type f | while read foo; do file "${foo}" | while read bar; do echo "${bar}" | awk -F: '/Mach-O/ {print $1}'
| grep -v "for arch"; done; done | xargs -I '{}' /usr/bin/sudo chmod 555 '{}'

]]> By: brunerd http://www.brunerd.com/blog/2008/01/21/office-2008-for-the-executive/#comment-346 brunerd Thu, 31 Jan 2008 08:03:06 +0000 http://www.brunerd.com/blog/2008/01/21/office-2008-for-the-executive/#comment-346 Although dang it if now I don't realize that xargs is going line for line, because of awk, I've tried putting the grep before awk, and awking with \0 at the end and xargs with -0 but it fouls up... so #2 is still slow... perhaps a kindly hacker will show me my error, for now, it's late! And it's not my problem to fix anyway! ;) Although dang it if now I don’t realize that xargs is going line for line, because of awk, I’ve tried putting the grep before awk, and awking with \0 at the end and xargs with -0 but it fouls up… so #2 is still slow… perhaps a kindly hacker will show me my error, for now, it’s late! And it’s not my problem to fix anyway! ;)

]]> By: ethan http://www.brunerd.com/blog/2008/01/21/office-2008-for-the-executive/#comment-386 ethan Tue, 05 Feb 2008 16:42:18 +0000 http://www.brunerd.com/blog/2008/01/21/office-2008-for-the-executive/#comment-386 Maybe I'm missing something, but... who cares? Why would a user care if all this stuff is executable? It's not like the exe bit matters for the vast majority of purposes. Maybe I’m missing something, but… who cares? Why would a user care if all this stuff is executable? It’s not like the exe bit matters for the vast majority of purposes.

]]> By: Rick http://www.brunerd.com/blog/2008/01/21/office-2008-for-the-executive/#comment-388 Rick Wed, 06 Feb 2008 01:25:37 +0000 http://www.brunerd.com/blog/2008/01/21/office-2008-for-the-executive/#comment-388 Yes no guarantees on xargs with awk. Awk awk! It's valiant of you both to tackle this one but as Joel says: 'it's not his job!' Cheers. ;) PS. 'Find all files of Mach-O type and chmod them to r-x-r-x-r-x' - uh don't you want 'r-x-r-x---x'? Yes no guarantees on xargs with awk. Awk awk! It’s valiant of you both to tackle this one but as Joel says: ‘it’s not his job!’ Cheers. ;)

PS. ‘Find all files of Mach-O type and chmod them to r-x-r-x-r-x’ - uh don’t you want ‘r-x-r-x—x’?

]]> By: Rick http://www.brunerd.com/blog/2008/01/21/office-2008-for-the-executive/#comment-389 Rick Wed, 06 Feb 2008 01:26:45 +0000 http://www.brunerd.com/blog/2008/01/21/office-2008-for-the-executive/#comment-389 Oops - take that last bit back. I'm not used to working in rwx. Used to working in octal. Yes you want at least 5s all the way through and as most on the last one. Oops - take that last bit back. I’m not used to working in rwx. Used to working in octal. Yes you want at least 5s all the way through and as most on the last one.

]]> By: Rick http://www.brunerd.com/blog/2008/01/21/office-2008-for-the-executive/#comment-390 Rick Wed, 06 Feb 2008 01:31:56 +0000 http://www.brunerd.com/blog/2008/01/21/office-2008-for-the-executive/#comment-390 PPS. Isn't it sweet to see M$ forced to do Unix? ;) PPS. Isn’t it sweet to see M$ forced to do Unix? ;)

]]> By: brunerd http://www.brunerd.com/blog/2008/01/21/office-2008-for-the-executive/#comment-395 brunerd Wed, 06 Feb 2008 05:43:57 +0000 http://www.brunerd.com/blog/2008/01/21/office-2008-for-the-executive/#comment-395 Ethan, you are missing something and many people do care. Do you care if your house is built on sand or rock? Do you label every bottle in your house from bleach to soda "Drink Me"? The engineers of Unix didn't just make up the executable bit just for the fun of it, it's about security. MS better be making sure they are making a secure product and not undermining basic file system security philosophies just because they haven't used PackageMaker before. Ethan, you are missing something and many people do care. Do you care if your house is built on sand or rock? Do you label every bottle in your house from bleach to soda “Drink Me”? The engineers of Unix didn’t just make up the executable bit just for the fun of it, it’s about security. MS better be making sure they are making a secure product and not undermining basic file system security philosophies just because they haven’t used PackageMaker before.

]]> By: mackdieselx27 http://www.brunerd.com/blog/2008/01/21/office-2008-for-the-executive/#comment-446 mackdieselx27 Thu, 14 Feb 2008 05:48:18 +0000 http://www.brunerd.com/blog/2008/01/21/office-2008-for-the-executive/#comment-446 "Do you label every bottle in your house from bleach to soda 'Drink Me'?" Bleach supposedly leaves a bad aftertaste; maybe Ethan could enlighten us on that part. “Do you label every bottle in your house from bleach to soda ‘Drink Me’?”

Bleach supposedly leaves a bad aftertaste; maybe Ethan could enlighten us on that part.

]]> By: Steve http://www.brunerd.com/blog/2008/01/21/office-2008-for-the-executive/#comment-496 Steve Sun, 17 Feb 2008 19:42:15 +0000 http://www.brunerd.com/blog/2008/01/21/office-2008-for-the-executive/#comment-496 Can you confirm that in Font Book the font "Bauhaus 93" (installed by Office 2008 and also 2004 as I've seen in a store) is said to have small errors ('kern' structure or similar)? Validate that font, I think it's a bug of Font Book in Leopard, I don't think it's corrupted, I've also replaced it with a Bauhaus 93 from a friend of mine and displays the same error in Font Book validation... All works fine (except Font Book I think ;-) ) . Can you confirm that in Font Book the font “Bauhaus 93″ (installed by Office 2008 and also 2004 as I’ve seen in a store) is said to have small errors (’kern’ structure or similar)?
Validate that font, I think it’s a bug of Font Book in Leopard, I don’t think it’s corrupted, I’ve also replaced it with a Bauhaus 93 from a friend of mine and displays the same error in Font Book validation…
All works fine (except Font Book I think ;-) ) .

]]>