• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: do shell script security issue
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: do shell script security issue

  • Subject: Re: do shell script security issue
  • From: Loukas Kalenderidis <email@hidden>
  • Date: Thu, 3 Apr 2003 15:27:02 +1000
On Thursday, April 3, 2003, at 02:20 AM, Paul Skinner wrote:

On Tuesday, April 1, 2003, at 08:30 PM, Loukas Kalenderidis wrote:

When using `do shell script with administrator privileges' sudo is executed with the -S option (from sudo(8): The -S (stdin) option causes sudo to read the password from standard input instead of the terminal device.). The administrator password provided (either given directly to the do shell script call, or entered in the authentication dialog) is passed to sudo through a pipe from an echo command.

Eg:
Running the shell script `do shell script "perl -e 'while(1){}'" with administrator privileges', and then entering the administrator password.

ps output shows:
root 1293 72.3 0.1 1300 324 ?? R 11:24AM 0:02.90 perl -e while(1){}
loukas 1291 0.0 0.2 1828 476 ?? S 11:24AM 0:00.00 sh -c echo '<password>' | sudo -p "" -S perl -e 'while(1){}'

(obviously i removed my password from the paste).

The result is that any user with access to run ps can access the administrator password while a shell script is running.

----

Loukas Kalenderidis
Angier Consulting Pty Ltd

I can see the obvious undesirability of that, but I'm trying to understand what the real risks are.
I know that Unix is an inherently shared environment. So who would this 'user with access to run ps ' be?
Let's say I'm on a LAN at work or home running OSX. Who would actually be able to do this? Could any user with an account on my box do this assuming default settings?

Paul Skinner

By default any user can run ps. On a box at home its not such a risk. But for example if you are running a script on a MacOSX Server box that uses this feature and users have ssh access then they could see the admin password.

I have been informed that this bug has been registered with apple.

Loukas

----

Loukas Kalenderidis
Angier Consulting Pty Ltd
_______________________________________________
applescript-users mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/applescript-users
Do not post admin requests to the list. They will be ignored.
References: 
 >Re: do shell script security issue (From: Paul Skinner <email@hidden>)

  • Prev by Date: Re: ASLG - where is latest version?
  • Next by Date: Re: Mail.app selection of front window
  • Previous by thread: Re: do shell script security issue
  • Next by thread: Austin, TX. Mac Programmers SIG meeting this weekend April 5th....
  • Index(es):
    • Date
    • Thread