[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20031030201501.GG14469@uriel.eclipsed.net>
Date: Thu, 30 Oct 2003 15:15:01 -0500
From: gabriel rosenkoetter <gr@...ipsed.net>
To: bugtraq@...urityfocus.com
Cc: James Kelly <macubergeek@...cast.net>
Subject: Re: Mac OS X vulnerabilities
On Wed, Oct 29, 2003 at 07:58:54PM -0500, James Kelly wrote:
> problem is easily fixed by adding this command to a root cron job.
>
> diskutil repairpermissions /
>
> Above command can be run every day for your paranoia protection ;-)
Actually, my paranoia protection says that that would be a REALLY
BAD IDEA.
I'm going to hazard a guess based on other posts here and figure
that that does either a straight shell call or at least the equivalent
of a find / -perm <something> -exec chmod <somethingelse> {} \;
This is a very small step away from a find <somewhere> [stuff] -exec
rm -rf, and it's a bad idea for all the same reasons that that is.
Automated cleanups (whether actually cleaning up files or just
cleaning up metadata) nearly always end up being race conditions and
should always be avoided. Scheduling ANYTHING as a superuser should
be treated with the utmost paranoia.
This is NOT a solution to the specific problem. Please, folks,
unless you wrote diskutil and know exactly what it's doing and how,
don't go out and do this on your systems.
More importantly, it's not a solution to the real problem here,
which has nothing to do with the specific permissions brokenness
on Mac OS X and everything to do with an inappropriate vendor
response.
Just like they did when they first started offering software updates
online but negelected to include one-way function results and
cryptographic signatures, Apple needs to admit they were wrong and
do something about it. I certainly hope that they do. Quickly.
--
gabriel rosenkoetter
gr@...ipsed.net
Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists