[X-Unix] App launched by my crontab runs as root if Login Window!

Alexandre Gauthier supernaut at underwares.org
Fri Jun 3 08:10:11 PDT 2005


John Harrold wrote:

>Sometime in June Jerry Krinock assaulted the keyboard and produced:
>
>| When the time comes, you will see iCal (or, I believe, any other app)
>| show its GUI ***BEHIND THE LOGIN WINDOW***.  It has a menu, and if you
>| don't mind working around the login window, you can actually use the
>| application, without logging in.  Now go to save a file and you can see
>| from your directory access that you are RUNNING AS "root"!
>
>I must admit this is a little strange. On most unix systems running X11,
>this would either fail because the user doesn't control the display.
>  
>

This is indeed interesting... I can imagine the security implications of 
this "feature".
I have not tried to reproduce it, though -- I wonder how the OS X gui 
server handles different user connections as compared to X11.
Then again, it might not even work the same way at all. Could someone 
more educated in the matter possibly enlighten us?

Alot of things are dependant of a user being logged on apparently -- 
such as network profiles. Wireless will not be active until you at least 
login once, from what I gathered last year...

>| I don't think I even have the "root" user enabled on my powerbook.
>
>I'm not sure what you mean by enabled. I don't think you can disable the
>'root' user on a unix machine and have it work. Every time you run sudo it
>executes commands as root. This would not be possible if the 'root' user
>was disabled.
>  
>

I think by disabled he means the user is not "active" per se in NetInfo, 
and does not have a password set.
The root user is "enabled" in the unix sense though, you just can't 
login with it for it has no password...
(This can of course be changed by using something like, sudo passwd 
root, however I do believe something has to be done in netinfo for you 
to be able to login with it, and access the >console "framebuffer-esque" 
local TTY.)

>| Besides the interesting security implications, I would like to fix this
>| because I have written an application which can be so (as above) cronn'ed to
>| launch and do some work while a user is out to lunch, but it the user has
>| displayed his login window, as smart users do when they go out to lunch, it
>| does not run properly since it runs as root - it can't find any of the
>| user's files.
>
>A little googling 'gui cron login window site:apple.com' and it seems
>someone else has had this problem:
>
>http://lists.apple.com/archives/darwin-userlevel/2003/Dec/msg00007.html
>
>But they don't seem to have a solution either ;(.
>
>  
>

At least we know they are somehow aware of it. I googled a bit, but no 
dice other than the aforementionned article.

-- 
Alexandre Gauthier
supernaut at underwares.org

underwares.org
Obscure IT knowledge Open Database

The human brain operates at only 10% of its capacity. The rest is overhead for the operating system.



More information about the X-Unix mailing list