Re: Hello Debugger/Goodbye Machine
Re: Hello Debugger/Goodbye Machine
- Subject: Re: Hello Debugger/Goodbye Machine
- From: Andrew Gallatin <email@hidden>
- Date: Fri, 10 Mar 2006 13:37:39 -0500 (EST)
Terry Lambert writes:
> > load: mydriver.kext
> > sudo chown -R root:wheel mydriver.kext
> > (sudo kextload -s . -r . mydriver.kext; sudo chown -R $
> > (USER):wheel mydriver.kext)
>
> You might want to do the chown before you try loading it, or the first
> time will always fail...
? I do..
> > The only drawback is that the NFS fs must be exported with root=0 to
> > avoid running into the bug that requires kexts be owned by root:wheel.
>
> That's a feature, not a bug. The intent is to make it impossible for
> third parties to demand-load a KEXT that does malicious things behind
> your back, without you first granting explicit authorization during
> the install by typing your admin password. If it were not this way,
> it'd be trivial to compromise your machine from a shell account.
It is a bug. If I, as root, explicity request that a KEXT
be loaded, it should darned well be loaded no matter who owns it.
I assume that by "demand loading", you mean automagically loading
a KEXT as a dependancy? I agree that there should be security checks
on that, but they shouldn't apply to an explicit kextload issued
by root.
> And compile up your own copy that removes this restriction. I
> recommend that you do not do this; if you do it anyway, I recommend
> you do not give people shell access to the modified machine.
I don't think I'd even want to give people shell access to an *unmodified*
mac, based on the recently publicised security contest (http://www.zdnet.com.au/news/security/soa/Mac_OS_X_hacked_in_less_than_30_minutes/0,2000061744,39241748,00.htm).
Drew
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden