lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <429EC54A-8B54-4502-9F95-045E9137CF4F@propagandaprod.com>
Date: Tue, 22 Aug 2006 17:21:24 +0200
From: Propaganda Support <support@...pagandaprod.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: NETRAGARD-20060624 SECURITY ADVISORY] [ROXIO
	TOAST	7 TITANIUM - LOCAL ROOT COMPROMISE ]


On Aug 22, 2006, at 3:22 PM, K F wrote:

> the admin users on OS X can NOT become root at any time.

Yes, they can.

> The admin user must first know the admin password before becomming  
> root.

Obviously. An admin user who doesn't know the admin password is not  
an admin user. He/she is a different user using an admin user's account.

> Based on the info below ANYONE that sits down at your pc while it  
> is logged in can take advantage of the fact that you can take root  
> WITHOUT a password using the technique outlined below.

Not true. They must provide an admin password to use the Deja Vu pref  
pane, unless the admin user chose to leave it unlocked. (It's locked  
by default.)

> Don't act like you have never let someone use a web browser or log  
> into instant messenger on your computer before...

I don't have to act like it, because I don't unless I trust the  
person completely. I have a guest account for anyone else.

If you let people that you don't trust use your logged in admin  
account, you're asking for all kinds of trouble, whether or not you  
have Deja Vu installed. They could delete any/all folders within your  
Home folder, for example.

Kind Regards,
-jeff

--
Jeff Holland
http://propagandaprod.com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ