lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20031030201501.GG14469@uriel.eclipsed.net>
Date: Thu, 30 Oct 2003 15:15:01 -0500
From: gabriel rosenkoetter <gr@...ipsed.net>
To: bugtraq@...urityfocus.com
Cc: James Kelly <macubergeek@...cast.net>
Subject: Re: Mac OS X vulnerabilities

On Wed, Oct 29, 2003 at 07:58:54PM -0500, James Kelly wrote:
> problem is easily fixed by adding this command to a root cron job.
> 
> diskutil repairpermissions /
> 
> Above command can be run every day for your paranoia protection ;-)

Actually, my paranoia protection says that that would be a REALLY
BAD IDEA.

I'm going to hazard a guess based on other posts here and figure
that that does either a straight shell call or at least the equivalent
of a find / -perm <something> -exec chmod <somethingelse> {} \;

This is a very small step away from a find <somewhere> [stuff] -exec
rm -rf, and it's a bad idea for all the same reasons that that is.

Automated cleanups (whether actually cleaning up files or just
cleaning up metadata) nearly always end up being race conditions and
should always be avoided. Scheduling ANYTHING as a superuser should
be treated with the utmost paranoia.

This is NOT a solution to the specific problem. Please, folks,
unless you wrote diskutil and know exactly what it's doing and how,
don't go out and do this on your systems.

More importantly, it's not a solution to the real problem here,
which has nothing to do with the specific permissions brokenness
on Mac OS X and everything to do with an inappropriate vendor
response.

Just like they did when they first started offering software updates
online but negelected to include one-way function results and
cryptographic signatures, Apple needs to admit they were wrong and
do something about it. I certainly hope that they do. Quickly.

-- 
gabriel rosenkoetter
gr@...ipsed.net

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ