March 12, 2008 at 2:19 pm
· Filed under Microsoft, Security
So the Office 2008 12.01 updater came out, it’s got a whole lot of packages for each app and component with postflight scripts written in Python to clean up all the permissions:
Mar 12 15:33:00 brunerd runner[8556]: postflight[8773]: setting ownership/permissions
Mar 12 15:33:00 brunerd runner[8556]: postflight[8773]: fixing setuid flags
Mar 12 15:33:00 brunerd runner[8556]: postflight[8773]: clearing ACLs
Mar 12 15:33:00 brunerd runner[8556]: postflight[8773]: sanitizing receipts
Doing an ls -lRFG in /Applications/Microsoft Office 2008 won’t leave you seeing red, they’ve cleaned that all up quite nicely.
Anyway, call me picky, but it forgets just one thing, the /Library/Fonts/Microsoft folder, it leaves that and its contents owned by 502 and they’re all marked executable. (Fonts don’t really need to be executable.) And as paranoid as it is — it’s still not quite right. So after you’ve put your tinfoil hat on, run 12.01, you can do this to finish it up:
#take away all users’ execute permissions
chmod a-x /Library/Fonts/Microsoft/*
#recursively own all fonts as root and admin group
sudo chown -R root:admin /Library/Fonts/Microsoft
Update: Or you can go into the update using Show Package Contents then navigate to Contents/Packages and run Office2008_en_fonts_12.0.1.incremental.pkg again, that’ll do the trick.
Permalink
March 8, 2008 at 12:31 pm
· Filed under OS X, Security
Did you know a Standard user can run commands as root via ARD?
This seems really odd doesn’t it? Why would this be necessary? The thing that gets me is how in Tiger you had to explicitly grant each user the privileges after starting the ARD service. But in Leopard, when you start the service All Users is the default.
So let’s take a walkthrough of what I was looking into this Friday evening:
Find a Mac running Leopard
Turn on Remote Management (yes you do have to be admin to do this)
Notice the default is for All Users to have access.
Create a Standard user in Leopard
Great, now go get a machine with ARD on it.
Add the computer to your ARD list using the standard user’s credentials
Send it a Unix Command to run as root (touch /HaxorWasHere, in this case)
Notice the new file owned by root in a place where no standard user can put things.
Interestingly, perhaps because I had done this a number of times, and Leopard got confused after a while, I tried deleting through Finder (while logged in as ‘test’ but authenticating as administrator) and got this message
OK that oddity aside, here’s another: You don’t need to have everything checked in ARD’s preferences to accomplish this, here’s the bare minimum :
Generate reports
Open and quit applications
Change settings
Delete and replace items
Restart and shut down
Copy items
Page 66 of the ARD manual does go into detail what needs to be turned on to run a Unix command, but why not just have a check box: Run Unix Command? Also, Generate Reports isn’t listed as one of them, but unless it was checked I got this?
Now I’m not saying this is an out and out security breach, no, because it requires admin privileges to turn on the service and add the user, but it does show how simply checking a check box as an admin could open your up your Mac to Bad Thingsā¢ if a standard user on your family computer has a weak password and someone else has ARD in a dark alley… well, you know what I mean. This just doesn’t seem right. Standard users should only be able to do standard user things, even in the magical world of ARD.
See the ARD manual pages 65-68 for Apple’s wording on the Remote Management Preference pane permissions. See if it seems clear that Standard users given ‘administrator’ (ARD administrator in this case) privileges can run as root. Leave a comment and let me know what you think, thanks.
Permalink
