Mac OS X hackable with application installer?

Discussion in 'macOS' started by MrFrankly, Sep 16, 2006.

  1. MrFrankly macrumors regular

    Jan 11, 2006
    Mac Geekery has an article about how it's potentially possible for installer applications to do root privileged operations without prompting the user for a password.

    This means that it's possible for an installer to install a backdoor on your Mac without asking you for a password like it should do normally when performing root-only operations.

    Because this is the standard setup of Mac OS X this could be considered an implementation mistake from Apple. Users expect to be prompted for a password when root privileged actions have to be made by an installer. But with relative ease installers can choose not to prompt for a password, leaving users unaware that the core of their system is being altered.

    The Mac Geekery article has more details and a better description of the problem.
  2. JDN macrumors 6502a

    Sep 7, 2006
    Lund Sweden {London England}
    What are root privileged actions?? Sorry, im a newbie.
  3. Shadow macrumors 68000


    Feb 17, 2006
    Keele, United Kingdom
    Well, root is the super-duper user of *NIX systems, so they are actions that require the root user to do. Things that will alter the OS, stuff like that.

    Bow down before me, for I am ROOT!:eek:
  4. benthewraith macrumors 68040


    May 27, 2006
    Miami, FL
    Doesn't OS X decide what's a threat and what's not. It doesn't ask for a password when installing Firefox? :confused:

    So I guess we'll be seeing another security update sometime soon in 10.4.8.
  5. iMeowbot macrumors G3


    Aug 30, 2003
    Not really. It ultimately relies on the good intentions of programmers. Installers don't have to really tell you what they are doing, and no security update is going to be able to change that in a bulletproof way.
    Firefox doesn't use an installer, you simply copy the application to your disk.

    I'm not so sure that a password prompt will make that much of a difference, since users are already conditioned to enter those for installers.
  6. Demoman macrumors regular

    Mar 29, 2005
    Issaquah, WA
    After reading the article it seems to be a self-fulfilling prophecy. If, if, if.....
    The perp still has to become the root user, and the user has to virtually open the door for them to do so.
  7. MrFrankly thread starter macrumors regular

    Jan 11, 2006
    Yes, but basically this is the same situation where Windows always get burned for. Users running as admin is dangerous. But with Windows the solution (run as) doesn't really work. Mac OS X however does have a perfect working solution available already. You only need to have a seperate admin user and a normal working account and then you will always be prompted for the admin password at the right situations. So there is a good, safe and workable solution available but it simply isn't used in a default installation.

Share This Page