BEWARE: 10.3.9 breaks standard Unix functionality

Bear

macrumors G3
Original poster
Jul 23, 2002
8,089
4
Sol III - Terra
From the 10.3.9 announcement email I just received, Apple removed some standard Unix functionality because it is a security threat:
Kernel
CVE ID: CAN-2005-0970
Impact: Permitting SUID/SGID scripts to be installed could lead to
privilege escalation.
Description: Mac OS X inherited the ability to run SUID/SGID scripts
from FreeBSD. Apple does not distribute any SUID/SGID scripts, but
the system would allow them to be installed or created. This update
removes the ability of Mac OS X to run SUID/SGID scripts. Credit to
Bruce Murphy of rattus.net and Justin Walker for reporting this
issue.
However, some shops may have written scripts that depend on that functionality being there.

What third party applications may have been broken because of this? What places that use Mac servers are not going to be able to update to 10.3.9 without issues because of this?

I know I had a few scripts set up that way.
 

MisterMe

macrumors G4
Jul 17, 2002
10,650
29
USA
Bear said:
From the 10.3.9 announcement email I just received, Apple removed some standard Unix functionality because it is a security threat:However, some shops may have written scripts that depend on that functionality being there.

What third party applications may have been broken because of this? What places that use Mac servers are not going to be able to update to 10.3.9 without issues because of this?

I know I had a few scripts set up that way.
If the flaws found in MacOS X (Darwin) also exist in other implementations of BSD, then the fixes to the flaws will also propagate to other implementations of BSD. This means that scripts that depend on these flawed functions will have to be changed irrespective of BSD implementation.
 

Bear

macrumors G3
Original poster
Jul 23, 2002
8,089
4
Sol III - Terra
MisterMe said:
If the flaws found in MacOS X (Darwin) also exist in other implementations of BSD, then the fixes to the flaws will also propagate to other implementations of BSD. This means that scripts that depend on these flawed functions will have to be changed irrespective of BSD implementation.
Actually, I wdon't think I was stating whether it was a good or a bad fix. I was pointing it out so people didn't get bitten by it.

And it's not just BSD, every flavor of Unix (including Linux) has(had?) the SUID/SGID functionality. There are a lot of scripts in use that depend on this. And you know something, Unix has had this functionality for like forever and it hasn't been a big issue.
 

Westside guy

macrumors 603
Oct 15, 2003
5,512
2,460
The soggy side of the Pacific NW
Bear said:
And it's not just BSD, every flavor of Unix (including Linux) has(had?) the SUID/SGID functionality.
Yes and it's often been the source of privilege escalation attacks. There was a well-known Perl suid issue about four years ago, and there were Apache suexec issues (a similar sort of thing) prior to that. I'm pretty sure Red Hat, and likely most other Linux vendors, now disables suid-like capabilities by default - you can always manually enable them if you need it.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.