[X-Unix] Security content of the Mac OS X 10.3.9 Update
Brian L. Matthews
blmatthews at gmail.com
Mon Apr 18 08:05:27 PDT 2005
>>>Kernel
>>>Impact: Permitting SUID/SGID scripts to be installed could lead to
>>>privilege escalation.
>>>Description: Mac OS X inherited the ability to run SUID/SGID scripts
>>>from FreeBSD. Apple does not distribute any SUID/SGID scripts, but the
>>>system would allow them to be installed or created. This update
>>>removes the ability of Mac OS X to run SUID/SGID scripts. Credit to
>>>Bruce Murphy of rattus.net and Justin Walker for reporting this issue.
>>I'm not sure I understand this right. Is 10.3.9 disabling the SUID/SGID
>>functionality?
>The statement is misleading. While Apple does not distribute SUID/SGID
> "scripts" it does distribute SUID "programs" -- the most well known being
>sudo.
Every occurrence of "SUID/SGID" in Apple's statement is followed by
"scripts" so I don't see how it's misleading, they did exactly what
they said they did.
>However, the same functionality is accomplished by using "sudo" --
>"Runas_User."
>This will require that the user use the syntax "sudo -u backup runBackup.sh"
>You CAN stipulate if a password is required to run that script or not.
How is that password entered in a script I want to run unattended?
Brian
More information about the X-Unix
mailing list