site_archiver@lists.apple.com Delivered-To: darwin-kernel@lists.apple.com On Mar 10, 2006, at 10:37 AM, Andrew Gallatin wrote: load: mydriver.kext sudo chown -R root:wheel mydriver.kext (sudo kextload -s . -r . mydriver.kext; sudo chown -R $ (USER):wheel mydriver.kext) That's a feature, not a bug. The intent is to make it impossible for third parties to demand-load a KEXT that does malicious things behind your back, without you first granting explicit authorization during the install by typing your admin password. If it were not this way, it'd be trivial to compromise your machine from a shell account. It is a bug. If I, as root, explicity request that a KEXT be loaded, it should darned well be loaded no matter who owns it. I assume that by "demand loading", you mean automagically loading a KEXT as a dependancy? I agree that there should be security checks on that, but they shouldn't apply to an explicit kextload issued by root. -- Terry _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-kernel mailing list (Darwin-kernel@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-kernel/site_archiver%40lists.a... Terry Lambert writes: You might want to do the chown before you try loading it, or the first time will always fail... ? I do.. Sorry; I mistook the second chown as the chown you were complaining about. Mea culpa. Mike Smith caught me out on this one, too. The only drawback is that the NFS fs must be exported with root=0 to avoid running into the bug that requires kexts be owned by root:wheel. It's not a bug, and I'm unwilling to discuss the security implications further. This email sent to site_archiver@lists.apple.com