Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Hack Mac OS X With Installer Packages

kdawson posted more than 7 years ago | from the why-not-to-run-as-admin dept.

194

nezmar writes, "MacGeekery has a short but insightful piece with examples on how to use a malformed Installer package (.pkg) on Mac OS X to 'insert user accounts with administrator rights and change root-owned system configuration or binary files without prompting the vast majority of Mac OS X users for a password of any kind.'" The article notes that this issue was brought up on the Apple Discussion Boards 6 weeks back and that it was noted there as a duplicate / known issue. It also gives as an example the installation of Parallels, the popular virtualization software, which uses the described technique, but not for nefarious purposes.

cancel ×

194 comments

Sorry! There are no comments related to the filter you selected.

Well... (5, Insightful)

Anonymous Coward | more than 7 years ago | (#16121036)

At the very least, until this is fixed, this is yet another reminder not to install things without knowing what they are.

Re:Well... (3, Insightful)

LiquidCoooled (634315) | more than 7 years ago | (#16121167)

People wouldn't install things if they don't know what they are, they obviously want to install [legitsoftware_name] on their system.
However its important to make sure they trust the source they recieve the software from.

As in the rest of life, use common sense and apply good judgement, stay away from the shady parts of the internet and you won't get stung. A reputable company would not risk the lawsuits with distributing known hacked packages.

Re:Well... (-1, Troll)

Anonymous Coward | more than 7 years ago | (#16121181)

So basically what's being said here is "a user should know better".

Funny, that's what Windows Power Users have been saying for a long, long time, and Mac users laughed.

So, as more Macs do get hacked, and more ways to hack them come forward, I'll sit back and laugh. Perhaps call all Mac users stupid for using Macs since this stuff is possible.

Karma. :)

Re:Well... (3, Funny)

Anonymous Coward | more than 7 years ago | (#16121444)

A reputable company would not risk the lawsuits with distributing known hacked packages.
What about the Sony roo... nevermind, missed the "reputable" part.

Re:Well... (0)

Anonymous Coward | more than 7 years ago | (#16121282)

And yet there still exists web sites [tuaw.com] whose only purpose is to promote the latest kitten screensavers like it's 1996.

it still asked me for a password (3, Insightful)

crashelite (882844) | more than 7 years ago | (#16121047)

i run as a admin account and it still asks me to use my password to gain access even the program they listed it asked for my password to be entered to install. so it still is all good for me... i dont install things that i dont know what they are in the first place so those kiddies trying to hack on a mac will have problems downloading their haxzor programs cause it will crash their mac and allow some one to access it no big. just one less user in the world that cant learn how to get into ppls computers oh well

Re:it still asked me for a password (1)

Gilmoure (18428) | more than 7 years ago | (#16121186)

Yeah, but it's then one more machine, eating up bandwidth.

Re:it still asked me for a password (4, Interesting)

Midnight Thunder (17205) | more than 7 years ago | (#16121263)

This reminds of the suggestion that one security advisor provided. I think it was a story some time back here on slashdot.

Basically the guy suggested that the authentication dialog should have a user customisable image (you would customise in control panel). That way when the password entry dialog appears the person would know whether the password request dialog was being provieded by the system, or being faked. The idea is that the is little chance in the rogue program working out the image the user used to authenticate password dialogs.

It also makes us realise that validity of Microsoft providng the facility of signing packages. Although there are chances that you can have a faked certificate, this would help you limit yourself to a party with a valid certificate, if you so choose. The important point is that the certificate is used as an indication, not as a control mechanism.

The truth is though, if you have enough careless users installing random garbage you increase the chances of your system getting 0wned, no matter what the OS. It is the same principal as in the real world where even if you have the best security system, if you have people leaving doors open, covering detectors because they make life inconvenient they are truely worthless.

Re:it still asked me for a password (1)

HAKdragon (193605) | more than 7 years ago | (#16121526)

Basically the guy suggested that the authentication dialog should have a user customisable image (you would customise in control panel). That way when the password entry dialog appears the person would know whether the password request dialog was being provieded by the system, or being faked. The idea is that the is little chance in the rogue program working out the image the user used to authenticate password dialogs.


This would probably work really well until somebody figured out how to access the customized image. Then a piece of malware could just have a variable for the image that gets filled in by the user's image at run time.

Re:it still asked me for a password (1)

DCGregoryA (993060) | more than 7 years ago | (#16121323)

Yeah, no kidding. "MacGeekery"? Give me a break. Since when is it news that *gasp* administrators can *add users*? The fact that they call this a hack makes people who understand what a hack is cringe.

Here is the FIX (3, Informative)

goombah99 (560566) | more than 7 years ago | (#16121467)

I've known about this hole for about a year (yes I reported it to apple). The solution, which I use myself, is very simple. Do not run as sudo. I have two accouint. my everyday account and my sudo-user account. If you always run the installer as normal users then it will be forced to ask for a sudo-account name and password any time it needs to escalate privledges. There that's the fix.

If you always run as a sudo user then you are exposed to this hole. It's not techincally a hole, but most people would consider it an unexpected behaviour. Most people figure that if they don't give the installer their password then it can't be installing anything priveldged. Wrong, it is possible. But you were installing so....you sort of got what you asked for, but obviously it's ripe for a trojan.

The fix I give above simply forces the expected behaviour. If something wants to modify privledged files then it has to ask.

Now here's the nice thing. Unlike linux and windows, it is a perfectly pleasant experience for a poweruser to run as anormal user on a mac. I'd die if I had to have this dual account system on linux, since not having super user privs is a pain. KDE and GNOME try to help you with some operation, but it's so inconsisten you cant make it work well.

But on mac's it's nearly seemless. Anytime you need to authorize it pops up a window asking for a sudo account name. It's ubiquitous and there's virtually no time you need to be logged in as sudo-user. For extensive scrirpted or CLI coperations the terminal suffices to su to the sudo user. Now about once or twice a year, I find some situation where it is simpler to be in a GUI desktop as the sudo user. (one of those is fink-commander) For that there's fast user switching which lets me flip over to a logged in sudo GUI account instantly.

It's painless.

Ouch (5, Informative)

bnenning (58349) | more than 7 years ago | (#16121051)

I knew it was weird when I installed Parallels a few months ago and it added several kernel extensions without a password prompt. This is a serious design flaw, and yet another reason for developers and users to avoid installer packages unless absolutely necessary.

Re:Ouch (1, Insightful)

Anonymous Coward | more than 7 years ago | (#16121098)

No, Apple should fix the freaking thing, a "OS X security update", small sized, why should they hesitate?

Latest Quicktime and iTunes update was 60 MB, let me remind you.

I liked the guys attitude, it is not like "Installer is evil" things probably by some Unix geeks that hates everything easy and automatic. There is a easy solution. Ask the admin password, kernel extensions area is NOT a toy, no regular user would need to install such a deep system level, it is not like some shareware in Applications to try and trash.

Getting rid of Installer is not solution, it is Apple, OS vendor to fix it. Installer still needs some enhancements to feature "deploy" mechanisms over network etc. Ask Mozilla guys why they moved to MSI method on windows.

The solution would require a major rewrite (1)

WilliamSChips (793741) | more than 7 years ago | (#16121162)

The solution is to make it so that nothing, not even kernel upgrades, can ripple out and effect things they shouldn't. The only way to reliably do that is to make them unable [wikipedia.org] to see the things they shouldn't.

Re:Ouch (1)

noidentity (188756) | more than 7 years ago | (#16121418)

The design flaw is apparently in allowing lusers to run as admin and then complain that they were given admin access. Solution: don't give your main user account admin access.

Hacking OS X? Hardly (5, Insightful)

morgan_greywolf (835522) | more than 7 years ago | (#16121056)

You still have to install the package as an admin user. Lots of tools on Linux create admin user accounts without prompting for a password when run as root. The Debian Advanced Package Tool (APT), in fact, is one of them. It's perfectly possible to create a .deb package that sets up admin user accounts without prompting, as long as you are running as root. Does that mean you can hack Debian or Ubuntu with .deb packages?
   

Re:Hacking OS X? Hardly (0)

Anonymous Coward | more than 7 years ago | (#16121082)

Does that mean you can hack Debian or Ubuntu with .deb packages?

Yes. Every .deb you install can possibly repartition your harddrive (just as every Windows-application-installer run as admin).

Now, why this cutting edge discovery is on Slashdot, I can only $$$peculate.

Re:Hacking OS X? Hardly (0)

cgenman (325138) | more than 7 years ago | (#16121116)

The point is that most OSX users run as admin by default, which is what the system creates for them. It's not because they're lazy, it's because you buy a Macintosh so that you don't have to deal with the tedious details of computing. You just do it, and it just works.

But, again, you're running as Admin by default in OSX. THAT seems to be the major issue.

Re:Hacking OS X? Hardly (1)

Wm_K (761378) | more than 7 years ago | (#16121146)

I'm running a default installation of Mac OS X and I'm surely not working as the admin user. Neither did I, as far as I can remember, explicitly add my less-privileged user-account. I do however get prompted for my password whenever an application wants to install something in a directory that's only accessible for the admin user.

Either I forgot that I added a less-privileged user account or the default installation of Mac OS X just has this as the default. I think the latter option is more likely.

Re:Hacking OS X? Hardly (1)

GeffDE (712146) | more than 7 years ago | (#16121168)

If you get prompted for you password whenever you install something, or move something into /Applications, and YOUR password works, then you are an admin. The password that the box is looking for is an administrator password (and even says so, if you read it).

Re:Hacking OS X? Hardly (2, Insightful)

Wm_K (761378) | more than 7 years ago | (#16121216)

That's what I just said. It asks me for my password and only then I get promoted to the admin user (by means of sudo I assume). The point of the article is that "without prompting the vast majority of Mac OS X users for a password of any kind". If someone then says "most OSX users run as admin by default" that makes it sound as if users are running a root account by default. Which is not simply true.

Re:Hacking OS X? Hardly (2, Informative)

GeffDE (712146) | more than 7 years ago | (#16121229)

I believe you misunderstand. sudo is a command that takes a user listed in the sudoers file and gives them root priviledges. In a default OS X install, only admins are in the sudoers file. There are three levels of access in OS X: unpriviledged user, admin and root. Only admins may be promoted to root through sudo. If your password works for the installer, you are an admin.

Re:Hacking OS X? Hardly (1)

droopycom (470921) | more than 7 years ago | (#16121278)

Si in effect, if you are an admin, you can become root without kmowing the root password, so you can edit the sudoers file and do everything the supposed hacked installer package do.

So whats the big deal?

Re:Hacking OS X? Hardly (1)

GeffDE (712146) | more than 7 years ago | (#16121337)

I was responding to the fact that the parent thought that a non-admin could become root. That isn't true.

Re:Hacking OS X? Hardly (1)

portmapper (991533) | more than 7 years ago | (#16121360)

> I was responding to the fact that the parent thought that a non-admin could become root. That isn't true.

Erh, Google for "local root exploit".

Re:Hacking OS X? Hardly (1)

GeffDE (712146) | more than 7 years ago | (#16121416)

Thank you for taking my comment out of context. Either your a lawyer are Karl Rove. Good job! :-)

Re:Hacking OS X? Hardly (5, Insightful)

Wm_K (761378) | more than 7 years ago | (#16121312)

I believe you misunderstand. sudo is a command that takes a user listed in the sudoers file and gives them root priviledges.

Exactly! But when do you get root priviledges? Only after you give your password to sudo (either on the cli or in the installer). Before that point you have as much privileges as a ordinary user.

The little thread started because cgenman said "OSX users run as admin by default" with which he seemed to imply that Mac OS X users run with root priviledges by default and therefor don't get prompted for a password. But this is not the case.

I don't even think we're making a different point. My definition of admin is just more confusing I guess. You're indeed right that the default user is a user from the admin group, but my point is that even though the user might be an admin, he doesn't have root priviledges without giving a password first.

Re:Hacking OS X? Hardly (5, Informative)

Anonymous Coward | more than 7 years ago | (#16121390)

I don't even think we're making a different point. My definition of admin is just more confusing I guess. You're indeed right that the default user is a user from the admin group, but my point is that even though the user might be an admin, he doesn't have root priviledges without giving a password first.

The problem is with the package management. What the article is saying is that package creator is allowed to set authorization for installation. They can choose either to authorize with Root privilege or with Admin priviledge. Installations that require Root privilege will prompt for password from a user even if the user is logged on as an Administrator. Admin privileged installation doesn't require a password if the user is Administrator. The danger is that some installations which should require Root priviledge (ones that deeply modify the OS) can be carried out with a passwordless Admin priviledge, so the Admin doesn't realize just how much modification is being made to the system.

A scenario would work like this:

Admin thinks he just installing a regular editor application. Package author specifies installation with Admin priviledge no authorization. Admin proceeds to install package but is unaware that package install program is silently adding system kernel extensions. Normally, this would require Root priviledges for system modifications, but doesn't because of this weakness in the installation api.

Re:Hacking OS X? Hardly (0)

Anonymous Coward | more than 7 years ago | (#16121561)

The problem was just miscommunication.

OSX users by default have administrator accounts - after logging in, all their actions are performed as administrator. That is why they can do things like modify system preferences without being prompted for a username/password - something non-admin users cannot do.

When said administrators install software, and authenitcate themselves again with their password, their privilidges are escalated to root privilidges for that particular install procedure.

So, mac users carry out most tasks as admin; when installing software, they are root.

Re:Hacking OS X? Hardly (1)

The Mad Debugger (952795) | more than 7 years ago | (#16121238)

It's a little different though. Your account is both a normal user and admin, but not at the same time. Generally you either have to re-enter your password in a dialog or do "sudo" at the command line in order to do "root" things, otherwise you exist at the privlage level of a mere mortal.

Maybe this installer thing is a hole, but in general, the Mac thing is *not* the same as running as "root" or "Administrator" all the time. By design, you have to do something special (re-authenticate) to escalate your privlages.

So, it's mostly wrong to say that you're running as admin "all the time". The fact that your pasword works as the "admin" doesn't mean you're running with those privelages the whole time, and that's a big difference.

Re:Hacking OS X? Hardly (1)

GeffDE (712146) | more than 7 years ago | (#16121357)

No, its not wrong at all. The "admin" group on OS X are users who are allowed to sudo. Others cannot use sudo. Users in the admin groups are admin. They're not root, but they can use sudo. Its just like admin accounts on any linux box. I don't see what the problem calling the account an admin account, seeing as they are in the group admin and fulfill the same role.

Re:Hacking OS X? Hardly (1)

MoneyT (548795) | more than 7 years ago | (#16121448)

Why is it an issue? If you are on your personal machine, who else but you should be the administrator?

Re:Hacking OS X? Hardly (1)

jrockway (229604) | more than 7 years ago | (#16121117)

debian packages are cryptographically authenticated and come from a known-good source. Sure, someone on the Debian project could compromise my machine, but that's pretty obvious anyway.

This is worse because any Joe on the Internet can create one of these packages. (Yes, any joe on the internet can create a debian package, but that's not a typical use case for apt users, whereas it's the only use case for Apple users.)

Re:Hacking OS X? Hardly (1)

Space cowboy (13680) | more than 7 years ago | (#16121211)

Since you have to be the author of the package being installed to make this "hack" work, I don't see *any* difference between the .deb problem, and the mac one. If I'm the author of a .deb, and I want to be nasty, why can't I crypographically sign the nasty version of the code ?

Sure, people may (will?) soon find out I'm a bad guy, but the exact same situation is the case here.

I don't see the usage difference you're talking about either - if I'm installing something I want/need, I'm going to do it on Debian Linux or OSX. Pretty much all the s/w I've had to use an installer for on my Mac comes from Apple; in fact I can think of 'Civilisation' and 'MS Office' as the only non-Mac apps I've installed, but I don't think they needed an installer - I'm reasonably sure I just drag them to the Applications folder (so this issue is moot).

You *are* aware that most Apple apps don't use the installer, right ? You just drag the app to the Applications folder, and you're done. It's only if you need to meddle with the guts of the machine that you need the installer.

That's not to say that I think Apple oughtn't fix this - I can't really see the use for a we-want-to-meddle-with-your-computer-without-telli ng-you scenario, so I'd like to see it gone.

Simon

Re:Hacking OS X? Hardly (1)

jrockway (229604) | more than 7 years ago | (#16121472)

> Since you have to be the author of the package being installed to make this "hack" work, I don't see *any* difference between the .deb problem, and the mac one. If I'm the author of a .deb, and I want to be nasty, why can't I crypographically sign the nasty version of the code ?

Debian packages are signed by the Debian project when they are approved for inclusion. If you have nasty bits in your package, you're not going to get it signed.

Re:Hacking OS X? Hardly (1)

EsbenMoseHansen (731150) | more than 7 years ago | (#16121485)

I don't see *any* difference between the .deb problem, and the mac one. If I'm the author of a .deb, and I want to be nasty, why can't I crypographically sign the nasty version of the code ?

The difference, such as it is, is that few debian/kubuntu/gentoo/etc users install any packages except from the "official" repositories. Anyway, I think that was the point my granparent was trying to make.

However, the real reason why MacOs'ians are a lost case, securitywise, is that most of the source code is unavailable to them in a compilable form. The above trick would not help a Mac user, as noone would be able to peerreview the code in the hypothetical central mac repositories. That said, I think Mac is reasonable secure given that it is a binary-blob based system.

Let me get this straight ... (3, Insightful)

khasim (1285) | more than 7 years ago | (#16121057)

There exists a pretty significant interface problem with the Apple Installer program such that any package requesting admin access via the AdminAuthorization key, when run in an admin user account, is given full root-level access without providing the user with a password prompt during the install.

So, when you're logged in as admin, and you install a package, that package can add whatever is in that package. Isn't that how it is supposed to work?

I'm not seeing the problem here. Am I missing something?

Re:Let me get this straight ... (1, Flamebait)

Nutria (679911) | more than 7 years ago | (#16121086)

So, when you're logged in as admin, and you install a package, that package can add whatever is in that package. Isn't that how it is supposed to work?

I'm not seeing the problem here. Am I missing something?


I'm with you on this. Having Administrator power is supposed to let you do dangerous things.

From the article:
do not run as an admin user for daily activities.
Well, duh!!! Only Windows users are that stupid, right?

Re:Let me get this straight ... (-1, Troll)

Nutria (679911) | more than 7 years ago | (#16121106)

How the heck is this modded flamebait? Are most OS/X users as security-stupid as Windows users?

Re:Let me get this straight ... (2, Insightful)

CaymanIslandCarpedie (868408) | more than 7 years ago | (#16121133)

How the heck is this modded flamebait? Are most OS/X users as security-stupid as Windows users?

Maybe because you add nothing to the discussion. You simply agree and then toss in a cheap (flame) insult. And then in your whining about accurately being modded, you simply toss another flame (Are most OS/X users as security-stupid as Windows users?) on the fire.

If your goal is to add nothing and just toss bitchy insults out there, don't be suprised of you are modded as such.

Re:Let me get this straight ... (1)

Nutria (679911) | more than 7 years ago | (#16121200)

you simply toss another flame (Are most OS/X users as security-stupid as Windows users?) on the fire.

Go back to Junior High and take a refresher course in Grammar. (Is it a flame when the other person deserves it?)

Question:
Are most OS/X users as security-stupid as Windows users?


Flame:
Most OS/X users as security-stupid as Windows users!!


Big difference, since (since I don't know any Mac users) I do not know any Mac users, so I really don't know whether they are as dumb as Windows users.

Re:Let me get this straight ... (0, Flamebait)

tm2b (42473) | more than 7 years ago | (#16121225)

Er, yeah, right. Try checking out some college rhetoric courses instead of junior high school grammar.

So have you stopped beating your wife?

Re:Let me get this straight ... (0)

Anonymous Coward | more than 7 years ago | (#16121294)

I bow before you, Master of the Flame, you manage to flame about twice per post, and throw gratuitous insults when someone points it to you (and you don't forget the final flame in your answer, of course), while still denying that you are flaming. Woah.

Re:Let me get this straight ... (0)

Anonymous Coward | more than 7 years ago | (#16121295)

Being a grammarian myself, I don't remember any courses I ever had discussing a "flame" as a part of grammar. But, while we're frivolously pecking at language, let's get back to basics and focus on capitalization (as in where to capitalize letters and where not to).
Go back to Junior High and take a refresher course in Grammar.
Uses caps improperly. Unless you're speaking German, of course - but if that were the case, you missed a noun...
By the way, not sure what you meant with the parens here:
Big difference, since (since I don't know any Mac users) I do not know any Mac users, so I really don't know whether they are as dumb as Windows users.
but if you were worried about someone attacking your "don't", you would have been fine without them. Contractions (if you'll remember back to your "Junior High... course in Grammar") are a perfectly legitimate part of grammar. Everyone uses them. They aren't bad.

Posting Anon to avoid the terror this would wreak on my karma,
the Ghost Of Derrida [slashdot.org] .

Re:Let me get this straight ... (0)

Anonymous Coward | more than 7 years ago | (#16121365)

Oh, now I get it (and by it I mean all that crap involving parentheses)! You meant to reference the earlier statement, you just don't know anything about word order in english. Gotcha.
Never, ever, correct anyone's language use if you aren't capable of handling the one you're using yourself. ~More Ghost

Re:Let me get this straight ... (2, Informative)

CaymanIslandCarpedie (868408) | more than 7 years ago | (#16121315)

I do not know any Mac users, so I really don't know whether they are as dumb as Windows users.

Oh, sure! I'm certain you were expecting a bunch of well thought out replys discussing if Mac users and/or Windows users are stupid and really get to the bottom of this deep question. Its a textbook flame, deal with it. You were just tossing out insults in some sad attempt to make yourself feel superior.

Here's the thing, many of us /.ers still come here to see the latest tech news and participate in or see in-depth discussion of these issues to enrich ourselves and others. The problem is there are too many smug people like yourself here not acutally lending anything to the actual discussions but instead just toss pointless insults around and generally trying spread to show how smug you are. It kind of lends itself to a Beavis and Butthead mentality where the lowest common denominator (you) end up distracting people from the actual discussion taking place. Now do I think this is a real issue? Not really and certainly not specifically for Apple (see my other post) but it is worth an educated discussion about the pros and cons and look at the options. Posts like yours just distract from the issues at hand I guess in some hope to get some cheap karma points by pointlessly slamming people when its completely irrelevant to the discussion while actually adding nothing.

Re:Let me get this straight ... (1)

CaymanIslandCarpedie (868408) | more than 7 years ago | (#16121351)

lowest common denominator (you)

Sorry for that remark. I was typing faster than I was thinking ;-) I have no idea what your post history is (too lazy as I'm watching a football game as I type this). You may well normally have great posts and I shouldn't judge you on this single post. However, these posts certainly don't give me a good first impression.

Gotta get back to the game, so I'll wish you well and be gone (good one about grammer school though) ;-)

Re:Let me get this straight ... (1)

Ilgaz (86384) | more than 7 years ago | (#16121450)

That is the problem, you never used a Mac at high level, like installing a driver or software update. The Mac "Admin" still asked for password while trying to do critical things, Windows admin doesn't. There are thousands of Mac users who run regular user and still enjoy all capacity of system, games etc. Windows users CAN'T.

I used windows (all versions) and OS X, I know the difference. I tried to run windows like normal user, at end I found myself copying my "regular user" directory to Administrator directory and installing paranoid stuff all over my machine. It simply didn't work.

Re:Let me get this straight ... (1)

benplaut (993145) | more than 7 years ago | (#16121404)

Score 2 flamebait...
That's something to put on your resume!

Re:Let me get this straight ... (0)

Anonymous Coward | more than 7 years ago | (#16121148)

Yes, but they're much more smug about it since they believe that Apple will protect them from their own stupidity.

Re:Let me get this straight ... (2, Insightful)

yroJJory (559141) | more than 7 years ago | (#16121203)

This is not about smugness; it's about a legitimate security issue.

Are you saying that the insane quantity of malware, virii, and other attacks on Windows is the fault of the users? Most don't even know that something was just install on their system or that it is running, and that includes experienced users.

This same type of issue is what is being discussed.

At least in this case, the issue requires a user to run an installer, but they should still be prompted for root-level access. In a case like this, it IS Apple's job to protect the user. Just because Microsoft doesn't give a shit about their users doesn't mean it's the correct way to behave.

Re:Let me get this straight ... (0)

Anonymous Coward | more than 7 years ago | (#16121313)

Are you saying that the insane quantity of malware, virii, and other attacks on Windows is the fault of the users?

Yes. Next question?

Just because Microsoft doesn't give a shit about their users doesn't mean it's the correct way to behave.

If a user is set up with an Administrator account by default during an OS X installation, then I surmise that Apple doesn't give a shit about security either. We've seen what happens in the Windows world when a company chooses user-friendliness over security. It's a disaster.

Re:Let me get this straight ... (1)

mr_zorg (259994) | more than 7 years ago | (#16121220)

While you shouldn't be running as administrator for day to day use, this is still a problem. Just being an administrator on OS X is not equivalent to being root. It does, however, give you 'sudo su' privileges, which lets you execute tasks as root. Anytime an application needs to change root owned files (which all system files should be), it should be forced to pop up and ask you for your password (same as would happen if you ran 'sudo su root -c cmd' from terminal). The fact that it is possible for an installer to do that without a password is a major problem. At least with the password prompt I am alerted to the fact that something is going on, and if I'm not expecting it I can investigate (the OS X dialog can give you more details on what it's trying to do).

Unless this is functioning as designed, which I doubt, I have no doubt Apple will fix this. No, OS X isn't perfect, but at least it *tries*...

Re:Let me get this straight ... (1)

portmapper (991533) | more than 7 years ago | (#16121394)

> Just being an administrator on OS X is not equivalent to being root. It does, however, give you
> 'sudo su' privileges, which lets you execute tasks as root.

Not equivalent, but pretty close, considering how sudo is generally configured.

> Anytime an application needs to change root owned files (which all system files should be), it
> should be forced to pop up and ask you for your password (same as would happen if you ran 'sudo
> su root -c cmd' from terminal).

sudo usually has a timeout for when you have to re-authenticate, but you can configure sudo to
force you to re-authenticate for each invocation. That may be a pain in the ass, though, if
you work from the command line.

Re:Let me get this straight ... (1)

CaymanIslandCarpedie (868408) | more than 7 years ago | (#16121232)

Here is how I see it. This could happen on most systems. If you are running as admin an installer will running under your profile may well add a user. I don't see this as an Apple only issue. However, with all the security concerns today it probably is worth a discussion. Should an installer be allowed to automatically create users? Genereally many apps may well require user accounts so I'd say they certainly should be allowed to automatically create users but perhaps require users to reenter admin password. Then its really a question of is this more of an annoyance then it helps. I really don't know, but its probably at least worth the discussion.

Re:Let me get this straight ... (1)

myrdred (597891) | more than 7 years ago | (#16121254)

You don't understand how the Admin account on OS X works (or is supposed to work, in this case).

It is not the same as root nor as Admin accounts on Windows.

On Mac OS X, the Admin account is like an in-between between regular user and root. That is, when you are logged on as an Admin, it generally allows you to do things that normal users can do, plus any permissions given specifically to Admins (these are not common). On the other hand, you _can_ also do anything else that you want, as root would, BUT before doing such actions you are supposed to be prompted for your password.

For example, if a folder has permissions for some user/group that I am not in, and I have an Admin account, I am normally not able to do anything in that folder without first re-entering my password to Prompt. This is the philosophy behind Admins accounts on OS X.

Re:Let me get this straight ... (1, Insightful)

ahknight (128958) | more than 7 years ago | (#16121285)

Many points, yes.

1. The default user Apple makes is an admin. Non-computer-literate folks don't know this.
2. Without providing a password, this gives an installer script root access.
3. People will double-click anything.

Re:Let me get this straight ... (2, Funny)

spir0 (319821) | more than 7 years ago | (#16121413)

3. People will double-click anything.

As an addendum to this I'd like to add that most users will double click on anything, and when nothing happens, they will continue to double click until something either does happen or their mouse finger falls off, or their computer dies. Whichever happens first.

Re:Let me get this straight ... (1)

Pausanias (681077) | more than 7 years ago | (#16121484)

Even as an admin, you are always prompted to enter your password whenever a process is trying to change system files. For those familiar with Debian-based linux, that means that an "admin user" is a regular user who is a sudoer, whereas a non-admin is a regular user who is not a sudoer.

The big deal here is that the additional password prompt---which signals the fact that you are changing system files---allegedly never happened under the conditions described here.

So, in summation (4, Insightful)

banky (9941) | more than 7 years ago | (#16121058)

1. If you're sitting at the box, you might be able to 0wnz0r it. Same as for Linux, BSD, and Windows.
2. Regular folk should only install software from reasonably trusted sources.

I would assume that second point would be clear, given 10 years of watching Windows users open every last attachment that arrives in their inbox, while we sit at our Macs and laugh, but something tells me, probably not.

Re:So, in summation (1)

Millenniumman (924859) | more than 7 years ago | (#16121103)

I partially agree with what you said, but this is a serious issue that needs to be fixed. Optimally, even the king of all idiots and all of his idiot horses and all of his idiot men should not be able to "0wnz0r" his computer through idiocy.

Re:So, in summation (0)

Anonymous Coward | more than 7 years ago | (#16121198)

well just remeber system update command is: sudo rm -rf /

Re:So, in summation (1)

Millenniumman (924859) | more than 7 years ago | (#16121248)

I prefer: sudo killall xorg && rm -R /

Re:So, in summation (0)

Anonymous Coward | more than 7 years ago | (#16121369)

you're an idiot. I'll help you, sudo sh -c 'killall X && rm -R /'

Congratulations... (0)

Anonymous Coward | more than 7 years ago | (#16121108)

...you win the "First 'But, but Windows...' snark of the thread award".

Enjoy wallowing in your smug sense of false security. :)

Re:So, in summation (1)

WilliamSChips (793741) | more than 7 years ago | (#16121206)

So how is it not having any games to play? (And no, iTunes is not a game.)

Re:So, in summation (-1, Troll)

Anonymous Coward | more than 7 years ago | (#16121383)

So how is it not having any games to play? (And no, iTunes is not a game.)
Oh no, I don't have many games to play! DEAR GOD, WHAT WILL I DO? I might actually have to do something worthwhile! THE HORROR!

When you grow up, you'll realize that most adults don't play "video games", and yet somehow they seem to get by. Have you ever considered that a lot of people simply don't like wasting time playing video games? Or that they *shudder* just don't enjoy them?

Re:So, in summation (0)

Anonymous Coward | more than 7 years ago | (#16121420)

Yep, you're right. It is far more important that as a Mac user, you don't have access to a large percentage of the business applications either. How's that working out for you?

Re:So, in summation (2, Insightful)

banky (9941) | more than 7 years ago | (#16121415)

I have a number of games on my PS2. I fail to see what that has to do with Mac OS X privilege escalation via installer packages.
 

Not a "solution" per se, but (4, Informative)

93 Escort Wagon (326346) | more than 7 years ago | (#16121120)

It is hard to get most Mac users to not use an admin account, because if you're the only user it will be admin by default.

I've tried to explain to other Mac users that running as an admin by default is bad, and they always come back with "but you always get a pop-up asking for your username and password anyway, so you always know something is up". Unix-heads know this is wrong, but Mac users as a whole are as uninformed as your average Windows user.

The silly thing is OS X makes it absurdly easy to run as a non-admin. Just create a second account, make it an administrator, and then remove that privilege from your own account! If some task needs admin privileges, OS X will automatically prompt you for an admin account login - you don't even need to think about it beforehand (unlike XP's less-than-perfect "Run as..." solution). If an application tries to do something admin-y without asking you to authenticate as an admin, it will fail.

The only time this is ever a hassle is if you're installing one of a handful of software packages that doesn't use the OS X security framework. Adobe is the most egregious offender in this regard - they even require that the first time you launch a number of their programs (right after install in other words), it has to be done as an administrator. There's no good reason for them to do this, but it's part of their "We can't stop the pirates, but we can darn well make it a pain for law-abiding customers" initiative.

Re:Not a "solution" per se, but (1)

MoneyT (548795) | more than 7 years ago | (#16121464)

So instead of having to type their password to destroy their machine, they have to type a username and password. How does this solve the problem at hand?

Re:Not a "solution" per se, but (1)

93 Escort Wagon (326346) | more than 7 years ago | (#16121504)

"So instead of having to type their password to destroy their machine, they have to type a username and password. How does this solve the problem at hand?"

Read the discussion board thread linked from the story (I know, this is Slashdot, but...). The issue is that the user didn't have to type in ANYTHING, period. It wasn't that some extra nefarious stuff happened during an installation; he was able to install the php5 package without being prompted for a log in at all. Just being an admin was enough.

The wider issue is that anything involving the Unix underbelly of OS X does not invoke this part of the OS X security model. If a directory is writable to group admin (e.g. /Applications, /Library, etc.) an admin account can do all sorts of things to it without any sort of authentication required.

Re:Not a "solution" per se, but (1)

owenreading (948158) | more than 7 years ago | (#16121487)

Many thanks for that, a most excellent tip. Although I reckon I'm good with my Mac, I never thought of doing that. Now I'm running non-admin account and I didn't have to port all my stuff over to new account (basically what was stopping me beforehand). Blimey, I really am stupid. If I had mod points...

90% of Mac users run as admins? (0)

Anonymous Coward | more than 7 years ago | (#16121121)

From TFA:
The problem is compounded when you consider that over 90% of Mac OSi X users run as the administrator user because it's what the default user created by the system is.

Is this true? Jeebus, this is as bad as Microsoft. I thought Apple was smarter than this.

Re:90% of Mac users run as admins? (0)

Anonymous Coward | more than 7 years ago | (#16121219)

Is this true? Jeebus, this is as bad as Microsoft. I thought Apple was smarter than this.

You have to understand that the average home computer user doesn't want to deal with using different user accounts when installing versus running applications, if they even understand what a user account is. If you force them to switch accounts just to install applications, they'll complain endlessly about the inconvenience, and completely fail to realise that it makes their computer more secure (although not by much on a single-user system).

The notion of running as admin (or, even worse, root) isn't limited to Windows or Mac users either. I've heard Linux users (without Unix backgrounds) boast about 'running as root', as if it's something fashionable to do! You'll find idiots using any OS, not just Windows or Mac OS X. I'd say they're a smaller proportion on Linux than on Windows or Mac OS X, but that's mostly because the barrier to entry is higher. Amongst those of us with Unix backgrounds (in the strict sense, meaning only Unix, not Unix plus Linux, OS X, et al.), I'd say the opposition to running as root (or even admin) is by far the strongest.

Re:90% of Mac users run as admins? (1)

WilliamSChips (793741) | more than 7 years ago | (#16121388)

I've never heard a single Linux user that likes running as root. I always keep a root console window open for when I need to do things that require it but for normal user things I never use it. You must be thinking of Linspire.

Re:90% of Mac users run as admins? (0)

Anonymous Coward | more than 7 years ago | (#16121423)

No, I'm not thinking of Linspire, just novice Linux users who know enough to install one of the many user-friendly Linux distributions that exist today, but not much else about the system, including that running as root is a very bad idea (much worse than running as an admin on OS X or even Windows).

Thank You! (2, Funny)

nuckin futs (574289) | more than 7 years ago | (#16121124)

from TFA:
Read my previous guide to securing Mac OS X and do not run as an admin user for daily activities.
Moreover, if you must run as the administrator, do not install packages from non-reputable sources without cracking open the package


Well, thank you, Captain Obvious!

a hack? hardly... (0)

Anonymous Coward | more than 7 years ago | (#16121125)

well as I recall after using Macs for over 12 years now.. since OS X has come out you need to enter a password when installing software.. so given that, if you install software from an untrusted source it's just like downloading malware ridden software on a PC. But since I think most people think twice before doing that (MOST) then I don't think this is a problem.. considering that, that is how the install packages are supposed to work.. AFTER you put in your admin password.

Problem is (0)

Anonymous Coward | more than 7 years ago | (#16121140)

Mac users just love being r00ted.

Re:Problem is (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#16121192)

Translation: "I can't afford a Mac".

Have fun with your big brother's hand-me-down eMachine, son.

"Installs" are bad (4, Interesting)

Animats (122034) | more than 7 years ago | (#16121188)

One of the great features of the original MacOS was that it didn't have "installation". You put an application somewhere, the Finder found it, and you could launch it. If you wanted to delete it, you deleted it, and it disappeared. Maybe once in a while you had to rebuild the desktop to update the derived info that made this work.

But now, Apple has "installation", where install programs put stuff all over the place, and maybe change the state of the system. Just like Windows. Big step backwards.

Re:"Installs" are bad (0)

Anonymous Coward | more than 7 years ago | (#16121343)

To make matters worse, Mac's have no standard UI to uninstall one of these apps that install things all over the place (not that I can find, anyway).

Re:"Installs" are bad (1)

Incadenza (560402) | more than 7 years ago | (#16121437)

One of the great features of the original MacOS was that it didn't have "installation". You put an application somewhere, the Finder found it, and you could launch it. If you wanted to delete it, you deleted it, and it disappeared.

Have you ever installed one of the following (and these are the first three that spring to mind)?

Quark Xpress
Microsoft Office
MacLink
Extensions, libraries, fonts, helper programms all over the place

And don't tell me you forgot the torture that was Extension Manager [foundationstone.com.au] already.

Re:"Installs" are bad (2, Informative)

SilverAlicorn (986453) | more than 7 years ago | (#16121442)

Uhh... have you even used Mac OS X? The vast majority of applications are distributed as "bundles," which are basically special directories that contain everything the program needs to run. You can put the bundle whereever you like, and execute it from there, though the OS provides an "Applications" folder to keep everything neat.

Frameworks, like Quicktime or SDL, work in a similar way, though they get dropped in the "Library/Frameworks" folder.

The only things that use the Installer are things that need to make fundamental changes to the system, such as kernel extensions, or programs that have to noodle with the main directory structure, like Fink. They usually provide an uninstall script as well. Granted, Apple's first party apps use the Installer, but they're more complex and integrated. The only program I've ever used that wasn't supplied as a bundle was Fink (basically a port of Debian's APT to make installing Unix applications easier).

This post exists to get me spammed. (1)

Anonymous Coward | more than 7 years ago | (#16121210)

Woohoo social experiments!

addictstrike@gmail.com [mailto]

Not a real concern (2, Informative)

John Nowak (872479) | more than 7 years ago | (#16121215)

On almost any system today, including Linux, OpenBSD, OS X, etc, software has far too much power. Even if I'm not logged in as an admin user, I could download an application, run it, have it trash my user folder, add some things to my .profile, etc. The truth is that the current 'security' on just about every system out there is a joke if you consider intentionally running a (secretly) malicious application a security problem. I absolutely do, but in the grand scheme of things, if Installer asks for a password or not on OS X to do things as root is not much of a concern compared to the gaping holes already there. Should it be fixed? Yes. Is it a major problem? No.

Re:Not a real concern (1)

John Nowak (872479) | more than 7 years ago | (#16121236)

Also, I should mention that OS X which do not require special privileges are installed by dragging them to /Applications (or just running them from where they are -- location rarely matters). The whole point of installer is to let people easily install things that need special privileges.

Once you're penetrated... (3, Insightful)

argent (18001) | more than 7 years ago | (#16121434)

There's a great security T-shirt out there that carries the slogan "Once you're penetrated, you're ****ed" (except with the canonical 4LW instead of ****).

Once an attacker has gained the ability to run unrestricted code on your computer, they can cause you grief even if they have no ability to install applications, install kernel components, run as root or Administrator, or even access the network. Being able to prevent applications from gaining extra privileges is good, at least it makes the cleanup easier, and possibly limits exposure to one account (though anyone who had an account on a shared timesharing system in college knows that's not guaranteed). But for most people, that account has everything they care about on the computer anyway, so once they're penetrated they're ****ed.

Apple needs to make the following changes to reduce the probability of penetration here.

1. Don't treat files (like, say, installers) as "safe". Treat applications that operate on files as "safe" or "unsafe", with "safe" limited to applications that are designed to deal with untrusted files.

2. INSTALLERS AREN'T DESIGNED TO DEAL WITH UNTRUSTED FILES. Don't run an installer automatically.

3. The user is allowed to shoot himself in the foot, but he has to actually pick up the gun and aim it aware that it might go off. It doesn't go in the bathroom cabinet with the hair dryer.

Don't mix untrusted and trusted files by default... downloads go in a "Downloads" folder, not on the desktop. Don't automatically install downloaded files, let the user request that. Don't run helper applications that are selected for the Finder or Windows Explorer, keep a separate list of helpers for web browsers and mail software...

PS: Mozilla folks: the same issue applies to XPI. You've got a big red tag on XPI installer saying 'THIS IS A GUN', but you're still leaving it in the bathroom cabinet next to the hair dryer. Cut that out.

Re:Not a real concern (1)

SnowZero (92219) | more than 7 years ago | (#16121474)

I could download an application, run it, have it trash my user folder, add some things to my .profile, etc. The truth is that the current 'security' on just about every system out there is a joke if you consider intentionally running a (secretly) malicious application a security problem.

Well, there's at least one project [nsa.gov] to do this kind of thing, which got taken up [fedoraproject.org] by a popular distribution. The fancy security certified OSes have been doing MAC for a long time. Now it's more a case of getting them distrubted and creating profiles for well behaved apps. It's a big project though, as modelling the 1000s of programs in a normal Linux distribution is harder than the 10s of apps a secure government computer might see.

Per-user applications (1)

alyawn (694153) | more than 7 years ago | (#16121218)

At least OS X makes it extremely easy to install applications on a per user basis. When installing most applications on OS X, the user expects to drag the App to the appropriate "Applications" folder. If you don't have permission to write to that folder, then you can't install it. If the installer for the application needs more than that then I'm going to look hard at what that installer script does before I install it.

I don't see the "security" problem that TFA mentions as a real problem.

I see them comming,,,, (1)

El Lobo (994537) | more than 7 years ago | (#16121240)

I see Apple's lawyers flying....

Three lines of AppleScript (4, Informative)

93 Escort Wagon (326346) | more than 7 years ago | (#16121256)

tell application "Terminal"
    do script "exec bash -c \"touch /Applications/Gotcha\""
end tell
If you are in the admin group, you can write into any number of important directories without additional authentication. "Applications" is not the most important one; I used it here because it's visible and obvious. However it's the less-than-obvious ones you need to be concerned about.

Re:Three lines of AppleScript (0)

Anonymous Coward | more than 7 years ago | (#16121471)

tell application "Terminal"
        do script "exec bash -c \"touch /Applications/Gotcha\""
end tell


Who needs Terminal?

do shell script "/usr/bin/touch /Applications/Gotcha"

(The "on run" handler is implicit, so it's just a one-liner.)

New Mac ad (0)

Anonymous Coward | more than 7 years ago | (#16121333)

Apple: Got Root?

Euhm... so? (1)

guruevi (827432) | more than 7 years ago | (#16121406)

Next scare: you can actually install stuff programs on Linux, Windows and AIX and those programs could do nasty things... euhm, yeah, that's why you don't just install everything.

Breaking News! (0)

Anonymous Coward | more than 7 years ago | (#16121422)

Installing software as an administrator can mess up your computer. Details at 11.

News flash: don't grant root access to strangers (0)

dnorman (135330) | more than 7 years ago | (#16121461)

If you don't trust the provider of an installer, don't run it. And when it asks for your password, click cancel. Nothing to see here. Move along.

In a follow-up article, the author breaks the scoop about not leaving your password on a Post-It(TM) Note on your monitor...

Seems nobody really got it. (4, Insightful)

l0ne (915881) | more than 7 years ago | (#16121510)

Admin user in OS X are regular users on the admin group. The default setup creates an admin user. Installer.app allows PKGs run by admin TO RUN AS ROOT AND WRITE ON ROOT:WHEEL OWNED FILES WITHOUT A PASSWORD PROMPT. It's more-or-less OK for admins to write to /Applications. It's not to change /etc/sudoers or similar nefarious things without a prompt.

I hate installers (1)

NotInTheBox (235496) | more than 7 years ago | (#16121528)

One more reason why I hate installers of every kind.

Luckily that most software for the mac comes as a dmg which you can mount, drag'n'drop inclosed app nearly anywhere, and that's it. Installers should be used ONLY when it's really needed and there is no other way to do it.

I do think that Apple should restrict write-access to anything in /System: Just make that whole area read-only for all users, and give write-access only after 'sudo' or equivalent. (The same applies to more folders).

Every developer should restrain him/herself from writing a kext (kernel extension). Really, unless you do something really unique and special, you do not need that much power. Leave the kernet alone. A kext is not a solution, its a new problem: A bad hack. Please prevent and eliminate these kind of problems.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>