Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the '10.5: Use a custom firewall in 10.5 with ipfw (CAREFUL!)' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.5: Use a custom firewall in 10.5 with ipfw (CAREFUL!)
Authored by: el.tyde on Feb 10, '08 04:57:42PM
Gibberish.

Let us quote directly from the source:
http://www.macosxhints.com/dlfiles/custom_ipfw_105.txt

- in my ~/bin directory the ipfw_firewall.sh looks like this:

#!/bin/sh
## Boot Script for firewall

#
# CONSTANTS
#

IPFW=/sbin/ipfw
SYSCTL=/usr/sbin/sysctl

...

The question was not: "How exactly did he 'give away root'?" (as you put it). The question was: "DID [he] just give away root?" (as I put it). So did he? And did you, if you implemented the hint as originally described (with vague ownership/permissions)?

I wouldn't know. That would depend on: all of your daemon script-related ownership and permissions, which the "Sat, Dec 1 '07 10:40PM PST" post here asks to clarify. (And on: what websites he/you may have visited - that's just one possibility.)

Since I respect the possibility that you might really be missing something, I will clarify.

NOTE: The issue here is entirely about ownership and permissions related to: ipfw_firewall.sh. It is very bad practice to have a script like this (in a user directory like ~/bin, or some other such vague directory with vague permissions) and have it modifiable possibly by anyone. Why? Because it will run as root (e.g. during boot time, via described launchd plist). If you, or Safari (or whatever) running as user, or anyone can arbitrarily write commands to such a script, then that anything can run as root upon execution of the script. Game over, if you'd like. A daemon script like the one described in this hint, running sysctl and ipfw (or whatever) with root permissions, should itself be modifiable only by root.

REF: tn2083.html

[ Reply to This | # ]

10.5: Use a custom firewall in 10.5 with ipfw (CAREFUL!)
Authored by: Brathahn on Mar 03, '08 02:28:26AM

Thanks guys! Having the ipfw_firewall.sh script in ~/bin was too lazy of me.... I tend to keep my scripts in one place to be able to edit them easily... so I've updated the .plist for launchd and the script is now sitting in /usr/local/sbin with root:wheel permissions...

And NO, I don't use my "blah" account for admin stuff. So it always goes like "su admin" and then "sudo -s"....


Thanks for all the feedback, unfortunately I don't check back too often and there's no option to receive email alerts if something gets added in a threat / topic started by me (or at least I didn't find the checkbox for it...)



[ Reply to This | # ]