lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <F8DF758F-019C-452D-BEE6-13C0634A2186@propagandaprod.com>
Date: Wed, 23 Aug 2006 10:59:43 +0200
From: Propaganda Support <support@...pagandaprod.com>
To: full-disclosure@...ts.grok.org.uk
Subject: NETRAGARD-20060624 SECURITY ADVISORY] [ROXIO
	TOAST	7 TITANIUM - LOCAL ROOT COMPROMISE ]

> On Aug 22, 2006, at 3:22 PM, K F wrote:
>
>>> the admin users on OS X can NOT become root at any time.
>>
>> Yes, they can.
>
> Um NO they can't. ANY is a pretty strong word.

I already demonstrated it in my original post.

> without the admin password an admin user can not become root.

I'm not sure why there is confusion here. By definition, an admin  
user is a user with an admin name and password.

> I am physically sitting on a mac that I do not know the admin  
> password to right now

Then you aren't an admin user. You're using someone else's admin  
account. This is not simply arguing over semantics. These concepts  
are well defined on Unix-based systems.

> Does it make a difference if it is someone that I DO trust?

Of course it makes a difference. Security has everything to do with  
trust.

If your argument is based primarily on allowing others to have access  
to an admin account which is not theirs (i.e., for which they do not  
have the password), then you really don't have much of an argument.  
In general, this is a VERY BAD IDEA, and is completely unnecessary on  
a multi-user system like OS X.

Kind Regards,
-jeff

-- 
Jeff Holland
http://propagandaprod.com



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ