Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Two ways to possibly close an ARDAgent security hole' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Two ways to possibly close an ARDAgent security hole
Authored by: Dr. T on Jun 20, '08 10:38:27AM

<blockquote>Patching it may be tricky, because administrators really do need the ability to run root-enabled scripts remotely and non-interactively...</blockquote>

I see no reason why a patch cannot work. An admin name and password should be required before the Mac will run root-enabled scripts (at the computer or remotely). The Trojan Horse software cannot send the password. All Apple has to do is disallow root access to ARDAgent unless admin name and password are entered.



[ Reply to This | # ]
Two ways to possibly close an ARDAgent security hole
Authored by: allanmarcus on Jun 20, '08 03:34:41PM

How do you propose to transmit the admin user's password to the client machine over the network?

1) plain text. bad idea
2) encrypted: well, it has to be decrypted and it could be intercepted then.
3) ssh keypairs? this is starting to move in the right direction, but think of the vulnerability if the private key were compromised.
4) kerberos? might work, but most organizations don't run a KDC, although many do.
5) Directory Service integration? This is also a good idea. Don't send any password; just have to somehow prove to the client that the person running the script is in an admin group.

Any way you slice it, it is a hard problem. The main issue is that Apple uses a push architecture, not pull. This means that the admin push a script onto the client rather then the client connecting to a server and pulling the script. If the client pulls the script, only the process that does the checking for tasks needs to have root privs. As long as ARD does a push, it will be vulnerable. In places where security matters (like the US government, where I work) push technologies are generally not allowed for configuration management.

Jut my 2 cents.



[ Reply to This | # ]