Re: Security Issue ... was[What happens to ...]
Re: Security Issue ... was[What happens to ...]
- Subject: Re: Security Issue ... was[What happens to ...]
- From: Darkshadow <email@hidden>
- Date: Fri, 19 Oct 2001 12:11:58 -0400
On Wednesday, October 17, 2001, at 03:54 PM, Jonathan Hendry wrote:
I doubt it. I suspect it's due to the fact that the menu itself
is owned and operated by an suid-root application. The code that
launches an application picked from the Recent Items menu must
run as the application that's running, which means running as
root for an suid root app.
Whoops.
This looks to be the reason. You can do this with any app being run as
root - doesn't matter if it's suid or not. If you launch any app as
root in the terminal (I used Calculator), quit the terminal, switch over
to the app, and choose the terminal from the Recent Items menu, it gets
launched as root. Any app gets launched as root. And, since that app
you just launched is running as root, you don't even need to switch back
to the first app to launch another one as root - simply choose it from
the Recent Items menu from there. So it does seem that the Apple menu
uses the user the app was launched as. Big whoops.
It is a rather annoying bug - but it's not a giant one. You can't make
use of this in the command line, since you need to be able to select
stuff from the Recent Items menu. Your computer is already vulnerable
if someone is sitting at it - this makes it easier for them, but they
still could have done it anyway. All they'd need to do is reboot into
single user mode - voila, instant root access.