• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Major Tiger AppleScript security hole?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Major Tiger AppleScript security hole?

  • Subject: Re: Major Tiger AppleScript security hole?
  • From: "J. Stewart" <email@hidden>
  • Date: Thu, 23 Jun 2005 17:58:14 -0400
On 06/23/05 at -0400 Stephen Jonke said this

>I was very surprised to find while experimenting that any user, even
>a non-admin user, can tell the applications of the currently logged
>in (to the GUI) user to do things, even destructive things!
>
>I was logged into the GUI and then at the terminal I did an "su" to a
>different user, one without admin privileges. I then entered the
>following command:
>
>    osascript -e 'tell app "Finder" to quit'
>
>It worked!
>
>Then I created a test file "test.txt" in my (user sjonke) home
>folder, and set the privileges such that only I had read/write
>access, with the group and other set to no access. I then tried this
>at the terminal, logged in as the other and non-admin user:
>
>   osascript -e 'tell app "Finder" to delete file "test.txt" of home'
>
>It worked! I can trash any file that the currently logged in user has
>write access to!
>
>Is there something seriously screwed up with my system or does this
>work for others too? If it does then we have a rather major security
>flaw in Tiger!


Apparently you aren't too clear about what the "su" command means and/or does in UNIX. Take a look at "man su" in terminal. What you've described here is exactly what should happen given the conditions you've set. This isn't a security hole, just a lack of understanding. Actually, if what you've described didn't happen it would be a major bug in the su command!

BTW, this has little or nothing to do with AppleScript itself, it's UNIX shell scripting. That you are compiling and running an AppleScript via the shell script is incidental.

JBS
--
There are 2 theories to arguing with a woman...neither works. — Will Rogers
 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Applescript-users mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: Major Tiger AppleScript security hole?
      • From: Stephen Jonke <email@hidden>
References: 
 >Major Tiger AppleScript security hole? (From: Stephen Jonke <email@hidden>)

  • Prev by Date: Re: posix path of string
  • Next by Date: Re: [OT] politically commentary; [was] Not as bad as thought
  • Previous by thread: Re: Major Tiger AppleScript security hole?
  • Next by thread: Re: Major Tiger AppleScript security hole?
  • Index(es):
    • Date
    • Thread