Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Security flaw... kindda!

I don't consider this a security flaw. Anyone with open-ended sudo
access (which is, after all, what the "Administrator" check box is) can
do anything root can, including changing root's password. The answer is
to restrict access to the commands that can be had via the sudoers(5)
file.

--Michael

> -----Original Message-----
> From: email@hidden
> [mailto:email@hidden] On Behalf Of
> Juan Manuel Palacios
> Sent: Tuesday, April 29, 2003 4:50 PM
> To: Mac OS X Server MailingList
> Subject: Security flaw... kindda!
>
>
> Hello people, here's something interesting I just found
> out and I
> wanted to get some comments from you all before I freak out. It seems
> to me like a security flaw from a first impression point of
> view... but
> well, anybody could claim I'm being paranoid! More than "finding out"
> all I did was put together some pieces of a puzzle which has been
> discussed here extensively.
>
> Today I realized I had forgotten root's password in my
> PowerBook OS X
> 10.2.5 client install so as I didn't feel like rebooting from CD I
> fired up John the Ripper to crack it for me. After a long time and a
> lot of CPU consumed (and after saying "Gee, that must have been a
> **good** password"!) I started thinking about alternatives and just
> before reaching the CDs it occurred to me to think in terms of the
> traditional ways in which UNIX has done things: what defines an
> "inactive" account? a "*" in the password field of the /etc/passwd
> file, right? Well, what happens if I replace the password
> entry in the
> NetInfo database with a "*"? Will that "deactivate" the account?
> Indeed!!!
>
> {07:20:23}[juan@PowerBook: run](0)% niutil -read . /users/root
> name: root
> passwd: fsIDuNvUtuNGM
> uid: 0
> gid: 0
> change: 0
> expire: 0
> realname: System Administrator
> home: /var/root
> shell: /bin/bash
> _writers_passwd: root
>
> {07:20:27}[juan@PowerBook: run](0)% sudo niutil -createprop .
> /users/root passwd "*"
> Password:
>
> {07:21:18}[juan@PowerBook: run](0)% niutil -read . /users/root
> name: root
> passwd: *
> uid: 0
> gid: 0
> change: 0
> expire: 0
> realname: System Administrator
> home: /var/root
> shell: /bin/bash
> _writers_passwd: root
>
> How do you like **that**? Hold on, the beauty doesn't
> end there! Why
> did I do this, some of you may ask. The one thing in my mind all the
> time was "NetInfo Managger.app". Indeed when I opened it the root
> account was deactivated, just as if the system were a fresh install,
> and all it took was to enter my administrator password to enable root
> and enter a password of my choosing, no previous password knowledge
> required! How's **that** for security?!!
>
> What this means is that anyone with administrator
> access in a system
> with a stock sudores file can go in and claim ownership of root with
> that simple hack. What do the wise and knowledgeable people of this
> forum have to say about that? Should we freak out just now
> or...? I'll
> try to hold my breath until I've read some of the opinions I'll,
> hopefully, get in reply!
>
> Thanks for listening, or rather, reading! Regards,...
>
>
> Juan.
>
>
> - What about love...?
> - Overrated! Biochemically no different than large quantities of
> chocolate.
> -- Keanu Reeves & Al Pacino, "Devil's
> Advocate". _______________________________________________
> macos-x-server mailing list | email@hidden
> Help/Unsubscribe/Archives:
> http://www.lists.apple.com/mailman/listinfo/ma> cos-x-server
> Do
> not post admin requests to the list. They
> will be ignored.
_______________________________________________
macos-x-server mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/macos-x-server
Do not post admin requests to the list. They will be ignored.
References: 
 >Security flaw... kindda! (From: Juan Manuel Palacios <email@hidden>)



Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.