[X-Unix] Security content of the Mac OS X 10.3.9 Update

William H. Magill magill at mcgillsociety.org
Mon Apr 18 06:52:25 PDT 2005 

On 18 Apr, 2005, at 02:25, Kuestner, Bjoern wrote:
> I read the following page:
>
> About the security content of the Mac OS X 10.3.9 Update
> <http://docs.info.apple.com/article.html?artnum=301327>
>
> This Apple page states the following:
>
>> Kernel
>> Impact: Permitting SUID/SGID scripts to be installed could lead to
>> privilege escalation.
>> Description: Mac OS X inherited the ability to run SUID/SGID scripts
>> from FreeBSD. Apple does not distribute any SUID/SGID scripts, but the
>> system would allow them to be installed or created. This update
>> removes the ability of Mac OS X to run SUID/SGID scripts. Credit to
>> Bruce Murphy of rattus.net and Justin Walker for reporting this issue.
>
> I'm not sure I understand this right. Is 10.3.9 disabling the SUID/SGID
> functionality?

The statement is misleading. While Apple does not distribute SUID/SGID
  "scripts" it does distribute SUID "programs" -- the most well known 
being
sudo.

> Let's assume I created a script which should always be run by a special
> technical user account setup for a specific purpose, e. g. "backup".
>
> Let's further assume I have a script runBackup.sh with ownership of 
> user
> "backup" and rwxr-sr-s permissions.
>
> Do I understand the above paragraph correctly that after the 10.3.9 
> update
> this script will no longer work like it should if user "joe" calls it?

Without testing, I can't tell for certain, but I would assume you are 
correct.

However, the same functionality is accomplished by using "sudo" -- 
"Runas_User."
This will require that the user use the syntax "sudo -u backup 
runBackup.sh"
You CAN stipulate if a password is required to run that script or not.

Sudo is much more powerful and useful than 98% of the Unix (not just OS 
X)
user community realizes.

T.T.F.N.
William H. Magill
# Beige G3 [Rev A motherboard - 300 MHz 768 Meg] OS X 10.2.8
# Flat-panel iMac (2.1) [800MHz - Super Drive - 768 Meg] OS X 10.3.8
# PWS433a [Alpha 21164 Rev 7.2 (EV56)- 64 Meg] Tru64 5.1a
# XP1000  [Alpha 21264-3 (EV6) - 256 meg] FreeBSD 5.3
# XP1000  [Alpha 21264-A (EV 6.7) - 384 meg] FreeBSD 5.3
magill at mcgillsociety.org
magill at acm.org
magill at mac.com
whmagill at gmail.com

More information about the X-Unix mailing list