Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Netinfo and root user security hole System
I found this interesting discussion on the MacNN forums talking about a Netinfo security hole and the root account.

When you have the Terminal in the recent applications menu, and Netinfo Manager in the foreground, launch the Terminal (from the Recent Items Apple menu) and you will be logged in as the root user. The person who posted said that he didn't even have the root password enabled.

I tried this (I do have the root password enabled) in 10.1 (5G64) and the same thing happened.

[Editor's addition: The MacNN forums go on to pinpoint the cause (Netinfo Manager essentially runs as root while it's running) as well as a workaround - disable excecute permissions for those who aren't members of the Admin group. However, exactly HOW to do this is not listed. You should be able to do this in the terminal:
sudo chmod o-x "/Applications/Utilities/NetInfo Manager.app/Contents/MacOS/NetInfo Manager"
This removes the execute bit for "others", leaving it for "user" (root) and "group" (admin, which your normal user is a part of). I switched mine, and my admin user continues to be able to use NetInfo Manager, but I don't have a non-admin user to test with at the moment.]

[NOTE: Above recommendation reflects comments listed below - thanks all!]
    •    
  • Currently 2.00 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (2 votes cast)
 
[5,135 views]  

Netinfo and root user security hole | 11 comments | Create New Account
Click here to return to the 'Netinfo and root user security hole' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Amazingly bad 2
Authored by: ceugene on Oct 17, '01 03:16:59AM

I just found out about this one in OS X. Open any app. Now open NetInfo Manager and leave it in the foreground. Now launch an app from the Recent Items submenu in the Apple Menu. It will be run as root.

It seems that the Apple Menu is wide open in any app run as root, not just NetInfo Manager...For example, once you open Terminal, quit NetInfo Manager and run TextEdit from the recent apps menu with Terminal in the foreground...you can now edit any file in OS X.

Seems to me that Apple has to separate teh Apple Menu from Applications menus.



[ Reply to This | # ]
Not only Netinfo
Authored by: rogerm on Oct 17, '01 04:02:07AM

Seems that if you start 'disk utility' the same results can be achieved. I would guess that other apps that need to be root could be allowing this behavior.



[ Reply to This | # ]
Disabling excecute permissions
Authored by: Brad Puett on Oct 17, '01 03:19:11AM

If you are a Copy-And-Paste person (like me), use the following syntax instead:

sudo chmod o-x "/Applications/Utilities/NetInfo Manager.app"

That way, you won't have any problems with the space between 'NetInfo' and 'Manager' ,,,



[ Reply to This | # ]
That's not really the App
Authored by: serversurfer on Oct 17, '01 08:05:28AM
The tip of the original poster just changes the permission for the folder that holds the NetInfo app. Removing 'executable' from this will solve the problem, but makes the application look like a folder to non-admins. The proper way to set the perms would be:

sudo chmod o-x "/Applications/Utilities/NetInfo Manager.app/Contents/MacOS/NetInfo Manager"

Better still, move the Offending Apps (NetInfo Manager and Disk Utility) in to a folder that only admins have access to:

mkdir "/Applications/Utilities/Admin Only"
sudo chown root:admin "/Applications/Utilities/Admin Only"
sudo chmod 770 "/Applications/Utilities/Admin Only"
sudo mv "/Applications/Utilities/Disk Utility.app /Applications/Utilities/Admin Only"
sudo mv "/Applications/Utilities/NetInfo Manager.app /Applications/Utilities/Admin Only"


Also, check out this thread at ArsTechnica:
http://arstechnica.infopop.net/OpenTopic/page?a=tpc&s=50009562&f=8300945231&m=5230994492

[ Reply to This | # ]
Thanks!
Authored by: robg on Oct 17, '01 09:46:25AM

Nice catch on the app vs. the bundle ... and I really like the "admin only" folder solution. I wonder how Apple will choose to patch it.

One other point is that if you have physical access, then root is probabably exposed anyway (especially if the install CD is lying around close by). I view this almost as more of a user protection issue than anything else -- I don't want Terminal or anything else running as root unless I tell them to run as root. Scary things can be done!

-rob.



[ Reply to This | # ]
That's not really the App
Authored by: Brad Puett on Oct 17, '01 03:41:49PM

Again, for the "Copy-And-Paste" people (NOT the same as "Anal-Retentive"!! ;^), use the following syntax instead:

mkdir "/Applications/Utilities/Admin Only"
sudo chown root:admin "/Applications/Utilities/Admin Only"
sudo chmod 770 "/Applications/Utilities/Admin Only"
sudo mv "/Applications/Utilities/Disk Utility.app" "/Applications/Utilities/Admin Only"
sudo mv "/Applications/Utilities/NetInfo Manager.app" "/Applications/Utilities/Admin Only"

(The last 2 lines are the only ones that changed ... I added double-quote marks around each of the path/file names) ...



[ Reply to This | # ]
Sorry, Brad :)
Authored by: serversurfer on Oct 17, '01 07:16:44PM

I really was trying to quote it properly. Just for you, in fact!



[ Reply to This | # ]
Any app run as root
Authored by: jimr on Oct 17, '01 01:51:58PM

seems that if you use sudo to launch apps from the command-line
like a thread running parallel to this is discussing,
whatever you select from the apple menu while the app is running will be run as root.
except, Netinfo Manager still seems to want a password....

this probably goes for the GUI sudo utilities as well.

sure is convenient to run BBEdit as root to edit config files.

.......lock your machine when you are away.





[ Reply to This | # ]
Also true, but...
Authored by: serversurfer on Oct 17, '01 07:27:00PM

Hopefully, anyone in your sudoers group (wheel) can be trusted not to abuse this. But sudo in not exactly the same as su, so I hope Apple corrects this soon. Apparently, the Apple Menu is built by the frontmost app, and has all the privileges of the controlling user (in this case root). The solution would be to make sure the Apple Menu only has the privs of the logged in user. However, this may be easier said than done. ;)



[ Reply to This | # ]
Don't see it with Security update
Authored by: Mithrandir on Oct 25, '01 06:45:20PM

I have the Oct 19 Security update (5L14) installed and I don't see this behavior.

Maybe Apple fixed it already?

M



[ Reply to This | # ]
Don't see it with Security update
Authored by: serversurfer on Oct 26, '01 06:09:06PM
I think that's what the update is for.

[ Reply to This | # ]