Major Tiger AppleScript security hole?
Major Tiger AppleScript security hole?
- Subject: Major Tiger AppleScript security hole?
- From: Stephen Jonke <email@hidden>
- Date: Thu, 23 Jun 2005 11:26:34 -0400
I was very surprised to find while experimenting that any user, even
a non-admin user, can tell the applications of the currently logged
in (to the GUI) user to do things, even destructive things!
I was logged into the GUI and then at the terminal I did an "su" to a
different user, one without admin privileges. I then entered the
following command:
osascript -e 'tell app "Finder" to quit'
It worked!
Then I created a test file "test.txt" in my (user sjonke) home
folder, and set the privileges such that only I had read/write
access, with the group and other set to no access. I then tried this
at the terminal, logged in as the other and non-admin user:
osascript -e 'tell app "Finder" to delete file "test.txt" of home'
It worked! I can trash any file that the currently logged in user has
write access to!
Is there something seriously screwed up with my system or does this
work for others too? If it does then we have a rather major security
flaw in Tiger!
Steve
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Applescript-users mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden