Security Update 9-20-02

Tiauguinho

macrumors 6502a
Original poster
Mar 5, 2002
647
0
The Netherlands
This is a good one... When you finish installing the update, run the software update again... the Update is there again! Is it just me?
 

MacRumors

macrumors bot
Apr 12, 2001
46,721
8,940
Security Update 9-20-02

Apple has another update in Software Update:

Security Update 2002-09-20 includes the following updated components which provide increased security to prevent unauthorized access to applications, servers, and the operating system.

Only Terminal is listed as being updated. Direct download is also available.
 

Stike

macrumors 65816
Jan 31, 2002
1,010
4
Germany
Originally posted by Tiauguinho
This is a good one... When you finish installing the update, run the software update again... the Update is there again! Is it just me?
No, it happens to me as well. They should update SoftwareUpdate. Stupid. :( :eek: :confused: :mad:
 

RogueLdr

macrumors regular
Jul 22, 2002
119
0
People's Republic of Ann Arbor
Re: Re: Security Update 20.9.2002

Originally posted by DavidRavenMoon


We get one every month... are we going to talk about it every month? ;)
With all the speculation on future releases, sometimes it's nice to be able to say that something new actually came out. So, I guess, yes, it would seem so.;) :D
 

tychay

macrumors regular
Jul 1, 2002
219
29
San Francisco, CA
The reason why...

is because it is a pretty major security hole that has been fixed.

In Jaguar, Terminal now runs if a URL (such as a hyperlink on a website) points to telnet://localhost or ssh://localhost. It wasn't verifying the URL syntax before this so a properly designed hyperlink could execute arbitrary commands on your computer as you. (such as delete your home directory).

To verify this feature, just type "ssh://localhost" in your browser address window or click on the above links and see what happens. Note that this doesn't work in OmniWeb due to some bug.

Luckily no user runs as super user so they couldn't wipe out your system, but I'd say the update is major enough to warrant a security fix.

Take care,

terry
 

Dave Marsh

macrumors regular
Jul 23, 2002
210
0
Sacramento, CA
Re: The reason why...

So, I'm confused. I've installed the security update, and clicking on these examples does startup Terminal. Was this security fix supposed to NOT startup Terminal?
 

MacBandit

macrumors 604
Re: Re: The reason why...

Originally posted by Dave Marsh
So, I'm confused. I've installed the security update, and clicking on these examples does startup Terminal. Was this security fix supposed to NOT startup Terminal?

If you notice the window it opens shows connection refused and says exited. This is what it should do.
 

beatle888

macrumors 68000
Feb 3, 2002
1,690
0
Re: The reason why...

Originally posted by tychay

Luckily no user runs as super user so they couldn't wipe out your system, but I'd say the update is major enough to warrant a security fix.

Take care,

terry
hey i just clicked on reply and the lawyer switch ad just came on the tv :p

Ok to the question...TYCHAY, i was wondering
if super user is the same as "Administrator".
My computer has me listed as administrator.
But i still need to give a password before installing. I always use my computer in this
user mode (me with administrator privileges).
Is this commen, or am I in a usermode that
I shouldnt be in? I still need to type in a password for installations so I think it's ok.

beatle888 long live john lennon.:p
 

MacBandit

macrumors 604
Re: Re: The reason why...

Originally posted by beatle888


hey i just clicked on reply and the lawyer switch ad just came on the tv :p

Ok to the question...TYCHAY, i was wondering
if super user is the same as "Administrator".
My computer has me listed as administrator.
But i still need to give a password before installing. I always use my computer in this
user mode (me with administrator privileges).
Is this commen, or am I in a usermode that
I shouldnt be in? I still need to type in a password for installations so I think it's ok.

beatle888 long live john lennon.:p

If you are the main user that controls the adding/deleting of other users and system prefs then you are the administrator. Super User is a way of gaing priveledges directly to the main subsystems. It is mode that you would use if you were a debugger for Apple or rewriting the main system. So the answer to your question is no admin is not the same as Super User.
 

tychay

macrumors regular
Jul 1, 2002
219
29
San Francisco, CA
the answer

Well if you must know the gory details (apologies for any errors).

In the underpinnings of your typical unix system there is a concept of users and a concept of groups. There is an account called "root" who belongs to a group called "administrator" with the power to do anything on your system. In the old days of pre Windows NT and Mac OS 9, this sounds like your typical windows/mac user but on multi-user systems, this sounds sort of scary. Now access control is done by changing your username to "root" with the command "su root -" (su = super user) and hacking away as a different user who now has access to everything.

This wasn't fun because now everyone has the root password. Unfortunately "groups" are not "roles" so there are some limitations, but it made a passable "next best thing". This "thing" is to create a group called "wheel" which users could belong to. Now instead of "su root -" one types "sudo <command>" (sudo = "do as super user") and then the OS prompts the user for their password if they are member of this wheel group and executes it "as root" (if they are not a member of this group, they are not prompted and can never access as root). Thus the system administrator account ("root") is locked out, but you can still do things "as root" if you are a member of a special group.

The major security issue fixed here is that now when a user no longer is an administrator you don't have to generate a new root password and provide it to everyone. Another security issue is that the username "root" is now inaccessible to remote hack attempts, so a dictionary attack on that account is going to fail.

The rough Mac OS X equivalent here is obvious. You don't see the System Administrator in the Accounts Preference pane (though if you look under /users/ you'll see the user as "root" in NetInfo Manager). Instead an "Admin" in your Accounts basically does the equivalent of assigning the user as part of the "wheel" group.

I say equivalent here because I don't understand this NetInfo management stuff that was inherited from NeXT and is part of OSX. This is being replaced with LDAP the same way AppleTalk is being replaced by Rendevous and TCP/IP. To the end user it makes no difference, but to a unix hacker, you may sometimes run into some strange effects. For instance if you "cat /etc/groups" you'll notice that only "root" is a member of the "admin" and "wheel" groups, but when you look in NetInfo manager you'll notice that you and your fellow admins are a member of both groups (while root isn't a member of the wheel group). Weirdness!

I hope this helps,

terry

Once more without the technobabble! If I created a hyperlink on my webpage that points to "ssh://rm -rf /*" (or somesuch) and you clicked on it in 10.2 pre-update it cannot remove EVERY file on your hard drive (only the ones owned by you which very often is most of /Applications and your entire /Users/username/ directory). And, if I changed this to a like like "ssh://sudo rm -rf /*" it would prompt you for your administrator password first, thus saving you from your own stupidity. The idea of some nut creating hyperlinks that look like normal hyperlinks but start deleting your entire hard drive or creating accounts or opening up security holes on your computer simply by you clicking on them is not very appealing.

The proper thing to do, was never allow such a bug to exist, which is exactly what Apple fixed with this update. This means "web location files cannot execute arbitrary commands in Terminal" with the assumption that "Terminal" is what is run when your browser sees "ssh:" and "telnet:", of course Apple can't be expected to fix every bug in every 3rd party program, so we'll assume you have the Apple provided defaults of having Terminal as the Helper program for these URLs.

BTW, you can modify this with a freely available program called "More Internet" preference pane.

Also before Jaguar (I believe) Terminal didn't understand the "ssh:" or "telnet:" URLs so this wasn't an issue.