[X-Unix] Security content of the Mac OS X 10.3.9 Update

Matthew Barr mbarr at mbarr.net
Mon Apr 18 08:16:18 PDT 2005


What I'm concerned about is things like spamd, a part of spamassassin.  
It runs as a user, then setuid's to the user running the client.  This 
allows it to use a bunch of config files and db's as the user 
directly... It sounds like it'll be dead if you add in 10.3.9.   We'll 
have to see.

The difference between running normal SA & spamd is about 12 seconds vs 
1.5 seconds per message.  spamd's performance is even better, but 
that's just on a single message...  (it gets better due to being able 
to handle multiple messages at once, vs a single message for SA )

Matthew

Matthew Barr
Managing Partner
Datalyte Consulting, LLC
Apple Authorized Reseller
mailto:mbarr at datalyte.com
cell: (646) 765-6878


On Apr 18, 2005, at 11:06 AM, Albert Lunde wrote:

>>> I'm not sure I understand this right. Is 10.3.9 disabling the 
>>> SUID/SGID
>>> functionality?
>>
>> The statement is misleading. While Apple does not distribute SUID/SGID
>>  "scripts" it does distribute SUID "programs" -- the most well known
>> being
>> sudo.
>
> The reason for concern about setuid _scripts_ is that, under many
> versions of Unix, there is a race condition that makes setuid
> scripts insecure. (I think what it amounts to is that one
> can't be sure the script interpreter is running the same script as
> was there when the setuid bit was evaluated.)
>
> The classic workaround has been to write a setuid wrapper
> program, say in C, and have that run a non-setuid script.
>
> Some OS or script interpreter versions have tried to avoid the race
> condition, but it's easier to turn off the dangerous case than "fix" 
> it.)
>
> (This was first an issue with shell scripts but it also can apply
> to things like perl.)
> _______________________________________________
> X-Unix mailing list
> X-Unix at listserver.themacintoshguy.com
> http://listserver.themacintoshguy.com/mailman/listinfo/x-unix
>
> Listmom is trying to clean out his closets! Vintage Mac and random 
> stuff:
>          http://search.ebay.com/_W0QQsassZmacguy1984



More information about the X-Unix mailing list