Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Possible security hole?

S

SC68Cal

macrumors 68000
Original poster
Feb 23, 2006
1,642
0
I might have found at least, an itsy bitsy hole.

Normally a user without administrator privs. cannot add items to the /Applications directory without the authenticating with an Admin account. However, in terminal, someone can invoke rm <folder> into /applications without having to authenticate.
 
G

glib

macrumors member
Mar 7, 2006
57
0
I can also rm -R something in /Applications with my normal user account. However, I can also copy to applications with my normal user account just fine. Permissions are the same for me.
 
S

SC68Cal

macrumors 68000
Original poster
Feb 23, 2006
1,642
0
Meaning you don't need to authenticate to add programs to /Applications via Finder as a standard user?
 
beatsme

beatsme

macrumors 65816
Oct 6, 2005
1,204
2
SC68Cal said:
I might have found at least, an itsy bitsy hole.

Normally a user without administrator privs. cannot add items to the /Applications directory without the authenticating with an Admin account. However, in terminal, someone can invoke rm <folder> into /applications without having to authenticate.
Click to expand...

report it to Apple. See what they say.
 
bearbo

bearbo

macrumors 68000
Jul 20, 2006
1,858
0
i think it depend on what your privilage is... im not sure

also, i think u can add small simple drag into app folder apps... if not to the root app folder, at least to user app folder...
 
MacBoobsPro

MacBoobsPro

macrumors 603
Jan 10, 2006
5,114
6
If you think you have found something iffy. Dont post it on a forum, keep it quiet and tell Apple. :rolleyes:
 
S

SC68Cal

macrumors 68000
Original poster
Feb 23, 2006
1,642
0
Okay. I've tried to replicate what I did last night with just a normal folder. I was given a permission denied error.

I'm going to retrace what exactly allowed me to move the program "John The Ripper" into the Applications folder from my Standard Account.

Currently, the permissions for the John folder

Owner = Standard Account
Access = R & W

Group = Admin
Access = R & W

Others = No Access

I'm beginning to wonder if that since I compiled John with my admin account, that is what allowed it to be moved.
 
D

ddekker

macrumors regular
Sep 23, 2006
222
0
Michigan
ROFLOL... I love the "its not a hole.. its a feature"... lol.. if it were MS it would be all over the news...

D
 
gauchogolfer

gauchogolfer

macrumors 603
Jan 28, 2005
5,551
5
American Riviera
ddekker said:
ROFLOL... I love the "its not a hole.. its a feature"... lol.. if it were MS it would be all over the news...

D
Click to expand...

Who the heck has made this comment? Honestly.

The OP even reported that he has some admin privileges on the account, and the other posters suggested reporting it to Apple.

Sheesh :rolleyes:
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom