lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <200808191244.m7JCicLC007812@www5.securityfocus.com>
Date: Tue, 19 Aug 2008 06:44:38 -0600
From: bgtrq.tryfixingit@...ichef.net
To: bugtraq@...urityfocus.com
Subject: Apple OSX Leopard (10.5+), inadequate ACL insight can create vuln

OSX 10.5 "Leopard" has activated ACL use and gives ACLs preference over standard POSIX permission bits.  Apple's "Get Info" GUI sets and displays an odd and confusing mix of POSIX and ACL settings, leaving plenty of room for confused security.

Unfortunately, there are not yet adequate tools to detect ACL changes.  Tools like open-source Tripwire only check POSIX permission bits (a feature request has been submitted for ACL support in open-source Tripwire).  Apple's proprietary Disk Utility appears to only check what Apple wants to check (it probably leaves areas like user files vulnerable).

Historically, a number of legitimate and less-than-legitimate software installers have altered the POSIX permission settings for key system files and directories.  Those alterations could easily be extended to ACLs, and would be more difficult to detect, since there are almost no tools to find them.

Users should carefully consider if the risks of using ACLs in OSX outweigh the benefits.  For many systems with a small number of users, ACLs are massive overkill, and should probably be disabled.  The following command disables ACLs on the root volume (the command only operates on each volume):

# fsaclctl -p / -d

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ