Re: Leopard and Cache.db files
Re: Leopard and Cache.db files
- Subject: Re: Leopard and Cache.db files
- From: Ron Hunsinger <email@hidden>
- Date: Tue, 22 Apr 2008 22:18:27 -0700
At 5:26 PM -0500 4/22/08, Jeff Johnson wrote:
Does anyone know whether this change of location for CFNetwork
caches also occurs for FileVault volumes? If so, then that does seem
to be a security issue, because /var is not encrypted by FileVault.
I think I can confirm your worst fears.
I'm running 10.5.2, and happen to keep a spare FileVault user around
for testing purposes. I logged in as that user, fired up Safari
(first time for that user) and it created
/private/var/folders/.../-Caches-/com.apple.Safari/Cache.db
where the ... part of the path is obviously ad hoc. This file
persists even after the user logs out.
The ONLY security on that file is that the intermediate directory
-Caches- is readable only by that user. com.apple.Safari itself and
Cache.db are both world readable, although marked as quarantined
files.
Cache.db is an sqlite3 database, which I had no trouble exploring
once I used sudo to get past the permissions on -Caches-. No
encryption anywhere in sight.
Just for a taste of that, to get a list of cached urls for user
'joe', enter the following commands one at a time (the -ok flag is so
'find' will prompt you before running the command, just in case it
finds another Cache.db file in there. If it's the right one, say 'y'):
sudo find /var/folders -user joe -name Cache.db -ok sqlite3 {} \;
select request_key from cfurl_cache_response;
.quit
This works under OS X 10.5.2, even for a file-vaulted user who is not
logged in at the time.
-Ron Hunsinger
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden