Slashdot Mirror
OS X Security Update: Apache, SSL and SSH
payote writes "Security Update July 2002 includes the updated components, Apache v1.3.26, mod_ssl v2.8.9 and OpenSSH v3.4p1, which provide increased security to prevent unauthorized access to applications, servers, and the operating system." It's not in my Software Update window, because I'm still on 10.1.4 (having heard rumors that RtCW doesn't work on 10.1.5). But it is indeed out, and any Mac OS X machine whose webserver or ssh server is open to an untrusted network needs to upgrade.
Death to all black niggers!!
.--------.___\ g
o \ \// ((> \ o
a \ . C ) ((> / a
t /\ C )/ \ (> / t
s / /\ C) (> / \ s
e ( C__)\___/ // _/ / \ e
x \ \\// (/ x
* \ \) `---- --' *
g \ \ / / g
o / \ o
a / \ \ a
t / / \ t
s / / \/\/ s
e / e
x x
* g o a t s e x * g o a t s e x * g o a t s e x *
* g o a t s e x * g o a t s e x * g o a t s e x * g g o / \ \ / \ o a \ a t `. : t s` \ s e \ / / \\\ -- \\ : e x \ \/ --~~ ~-- \ x * \ \-~ ~-\ * g \ \
I picked up a bass guitar when I was in College from 1997 to 1981 because of players like John Entwistle. I will miss him. I had to sell it in the summer of 96 when I was out of work, and needed to eat. I get a chuckle every time I see the video for My Generation. When Moon, Townshend, and Daltrey start smashing things, John cradled his bass like a baby, and stepped away from them. Rest in peace, Ox.
that Apple takes security seriously.
Oh well
I hope you die, suffocated by your boyfriends rancid poohole!
Apache makes the vulnerability known, and Apple's right there with an OS patch bringing the new version into the fold.
How it should be. OS X.
blakespot
-- Heisenberg may have slept here.
iPod Hacks.com
be prepared to reinstall PHP if you had a customized verison. This updates writes over it.
--
Don't sweat the petty things, and don't pet the sweaty things.
for those who cant/wont compile their own
One more crippling bombshell hit the already beleaguered *WHO community when IDC confirmed that *WHO market share has dropped yet again, now down to less than a fraction of 0 percent of all concerts. Coming on the heels of a recent Live versus Dead survey which plainly states that *WHO has lost more members, this news serves to reinforce what we've known all along. *WHO is collapsing in complete disarray, as fittingly exemplified by failing dead last [samag.com] in the recent WHO Admin comprehensive vital signs test.
You don't need to be a Kreskin [amdest.com] to predict *WHO's future. The hand writing is on the wall: *WHO faces a bleak future. In fact there won't be any future at all for *WHO because *WHO is dying. Things are looking very bad for *WHO. As many of us are already aware, *WHO continues to lose market share. Red ink flows like a river of blood.
EntwistleWHO is the most endangered of them all, having lost 100% of his life. There can no longer be any doubt: *WHO is dying.
Let's keep to the facts and look at the numbers.
WHO leader Pete Townsand states that there are 4 members of *WHO. How live many members of *WHO are there? Let's see. The number of live members of *WHO versus dead ones is roughly 1 to 1. Therefore there are about 4/2 = 2 living *WHO members. This is consistent with the number of *WHO sightings.
Fact: *WHO is dying
I hope high gas prices are depriving your children, you fucking dumbass.
Well, well. A Slashdot editor admits he uses a primarily closed-source system (yes, some minor parts are open) from one of the most proprietary companies around, Apple. So let me get this straight. The Editors can't be bothered to test with Internet Explorer because they don't run Microsoft (this was stated during the whole page-widening bug fiascos), but they'll happily run Apple?
So we basically know the truth. The Slashdot editors do not embrace Free Software, they are ONLY running away from Microsoft. They don't give a damn about the Free Software movement.
Freaking hypocrites.
You know, the hole that allows a specially crafted, chunk-encoded HTTP request to execute arbitrary code on the server, and as Microsoft would say, "a malicious user" could exploit this to damage systems, take over a box, or worse.
The theory of relativity doesn't work right in Arkansas.
RedHat just came out with their updated RPMS also. Last time that SSH came out with a security vulnerability (the same time the zlib one hit) I WAS HACKED! Do you know how bad you feel after you've been hacked? Its like being neutered.
In college, really poor, need a flatscreen.
Two minute install, no reboot required. Nice.
This space unintentionally left unblank.
Nicely enough, this does not require a reboot to get working. Downloads and killed off the old sshd (and one would assume Apache if I had a web server on my laptop!).
I mean, I had already updated my FreeBSD machines two days ago. I got sick of waiting for Apple to release the easy to apply software update patch so I just manually upgraded my OpenSSH via the command line.
I understand that most of Apple's users don't want to touch the command line and wouldn't know where to start compiling software, so I also understand that it will take them a little time to deliver the security patch in an easy to install fashion via software update. I just hope they release the next update more quickly, instead of waiting for a few needed updates to pile up and release an all in one uber-update.
Whatever rumor you heard was incorrect. OS X 10.1.5 actually fixes several problems related to RTCW. Several serious issues I was having were resolved by updating to 10.1.5 and confirmed by Aspyr tech support. I highly recommend the upgrade. Specifically RTCW under 10.1.4 didn't work with the GeForce4Ti above 640x480 and now it works up to 1024x768. You'll still need to use an old card like the GeForce4MX if you want to go all the way to 1600x1200 with it though.
And it was sure nice to get an update that didn't require a restart! What's up with all the restarts required, anyway? This is Unix...I'm not used to restarting all the time (except kernel upgrades; but those are rare for me)
-- @rjamestaylor on Ello
yada yada dont care im just testing something and this post was the first avail one...i could care less what it is even fuckin discussing...gay homo slashdot fags..
askslashdot
Netcraft has now confirmed BSD is dying Yet another crippling bombshell hit the beleaguered BSD community when recently IDC confirmed that BSD accounts for less than a fraction of 1 percent of all servers Coming on the heels of the latest Netcraftsurvey which plainly states that BSD has lost more market share this news serves to reinforce what weve known all along BSD is collapsing in complete disarray as further exemplified by failing dead last samagcom samagcom in the recent Sys Admin comprehensive networking testYou dont need to be a Kreskin amdestcom to predict BSDs future The hand writing is on the wall BSD faces a bleak future In fact there wont be any future at all for BSD because BSD is dying Things are looking very bad for BSD As many of us are already aware BSD continues to lose market share Red ink flows like a river of blood FreeBSD is the most endangered of them all having lost 93 of its core developersLets keep to the facts and look at the numbers OpenBSD leader Theo states that there are 7000 users of OpenBSD How many users of NetBSD are there Lets see The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1 Therefore there are about 70005 1400 NetBSD users BSDOS posts on Usenet are about half of the volume of NetBSD posts Therefore there are about 700 users of BSDOS A recent article put FreeBSD at about 80 percent of the BSD market Therefore there are 700014007004 36400 FreeBSD users This is consistent with the number of FreeBSD Usenetposts Due to the troubles of Walnut Creek abysmal sales and so on FreeBSD went out of business and was taken over by BSDI who sell another troubled OS Now BSDI is also deadits corpse turned over to yet another charnel house All major surveys show that BSD has steadily declined in market share BSD is very sick and its long term survival prospects are very dim If BSD is to survive at all it will be among OS hobbyist dabblers BSD continues to decay Nothing short of a miracle could save it atthis point in time For all practical purposes BSD is dead BSD is dying
-pwpbot
Does it run under Finder or as a Desk Accessory?
I've still got mine, though, and my two boys are a testament to that fact (they even look a little like me, in case you think my wife is as cheap as yours! :)
-- @rjamestaylor on Ello
- Overpriced proprietary hardware
- No way to upgrade
- Poor price/performance ratio
- Sloppy security
- Gay user base
I'm sorry, but when I show up for my local AUG meeting,I don't want to be hit on by the boys in pink.
what a waste of a mod point. The friggin post was marked OffTopic already. Bonehead moderators.
10.1.5 has nothing to do with RtCW failing. Recently the 1.33 version of return to castle wolfenstein was released for linux and PC. When this happened many multi-player server started to require 1.33 (pure servers) in order to play.
There's some disucssion on whether Aspyr will patch this however there is a workaround. Download the "lite" version of the 1.33 upgrade for PC, unstuffit and then replace mp_bin.pk3 in your MAIN folder.
These instructions are highligted at the bottom of this URL on Aspyr's site
Mystery writer Patricia Cornwell, after her husband tried to kill her for being a dyke, sold her real-life-soap-opera to a movie producer (who came to his senses and never produced the movie). Biographical film contract in hand, Crazy Patty started stalking Jodie Foster to play the role of Patricia Cornwell, because Patty thought it only appropriate a dyke actress play a dyke author. Jodie wasn't impressed, so Cornwell started stalking other actresses instead, and reportedly got down and naked with a couple of famous gals -- I guess the "director's couch" works in all sorts of ways. Jodie's a sort of a family gal though and Crazy Patty wouldn't have been her type even had Jodie been available.
It's common knowledge in the lesbian community that Jodie's a dyke but it's not as often in the press as Tom Cruise because she is not very often out there making denials -- which should teach Tom something but he's not quite as intelligent as Jodie. She merely refuses to discuss her very private private life, but she issues few denials, though there've been some odd semi-denials over the years. Buddy Foster, Jodie's ne'er-do-well brother who was also a child star but never made the transition to adult roles, said his sister is "at least bisexual" though he didn't seem in actuality to know as much about it as any random bar dyke would. He did reveal that their mom Brandy was a dyke, and Jodie was named after her mom's pistol-packing butch lover who the kids called "Aunt Jo". For once Jodie got really peevish, resulting in a family feud held in the press throughout 1997. Perhaps Jodie broke her usual stoic silence more for her mother than for herself being outed. She made a public statement about Buddy being a drug addict with severe memory quirks and she said he's only "a distant acquaintance" not qualified to speak about her life one way or the other. Buddy, hurt, replied to Jodie's press release, "I'm a recovering addict, but my memory is fine". Wonderful family, eh.
The semi-talented actress's long-time sweetheart is foxy Cydney Bernard. They're co-moms of a son, Charlie, and Cydney was present to catch the lad when he left Jodie's womb about two years ago. Cool, huh? Whether or not Charlie is a turkey-baster kid like Rosie's, Jodie isn't telling, though while she was pregnant the reports were that it was an anonymous sperm donor. "I will not talk about the father or the method" is the biggest statement she made to the press. There is no father named on Charlie's birth certificate.
Jodie's a weird one when it comes to the closet, as it doesn't seem she's ashamed of being gay or anything like that, she just has a powerful need to preserve her privacy. Before she will give interviews to promote a new film, she makes the interviewers sign an agreement not to ask her any questions about her home life, her lover, her son, or that bastard who shot Ronald Reagan -- everything else is a go. She doesn't mind being seen with her constant companion Cydney, but on the other hand it's really hard to get pictures of them so much as holding hands.
She is just generally very private. Yet now and then she makes a big public show of dating some eligible bachelor just like in the old Hollywood days when studio moguls made their dyke and faggot stars do photo-ops with their opposite gender. But it's hard to say if it isn't just a bit of an inside joke for Jodie, like at the Golden Globes where she and Russell Crowe were photographed kissing and hugging and feeling each other up. It was afterward rumored that he was having a threesome going with Jodie and Cydney, the lucky dawg, and it just might be true. The gossip-column dish was that Cydney had chosen Russell herself to father her and Jodie's next child, and Jodie agreed that the "no known father" routine had caused more intrusions rather than less over Charlie. Though at first Jodie denied she was pregnant with a second child, turned out she was. In classic "closeted, not closeted" Jodie Foster style, she had her press agent issue a statement that the gossip about the two gals and Russell were not true, but that Cydney and Jodie were hoping their next kid would have Russell's piercing eyes.
Russell Crowe is notorious for his attraction to femme dykes. He had Nicole Kidman before her cover-marriage to Tom, and he did Sharon Stone soon after she played a killer dyke on the screen. Sharon by the way reported that Russell was one helluva hot stud. Hell, I'd do him too.
By the way, a professional Jody Foster look-alike is available on video tapes doing the nasty with other gals, including "lezbo bondage" Some people think these videos really are Jodie, and after careful examination, they very well may be.
Interestingly enough, for me it did require a reboot. Perhaps because I chose to install the Applescript upgrade at the same time.
Wow, when Microsoft issues security update they are lambasted for putting out an insecure operating system.
Apple releases massive security update and they are lauded for their focus on protecting their users.
Red Hat releases security updates and no one mentions them at all.
While OpenSSH 3.4p1 fixes the bug that lead to offering a priv-sep version in 3.3p1, the July Security Update does not modify the Netinfo tables to add a sshd user and group, along with the other configuration steps listed in README.privsep. It is suggested that Apple engineers may address privilege separation in Jaguar or an update to Jaguar.
This isn't an update for OSX that it has control of. Its the use of bad coded open source software that has the vunerablity. Microsoft is in control on how things run and mess up with Windows. Apple doesnt have 100% control because their software relies on open source people to fix it for them.
Didn't ruin anythink in my php installation. By the way there is a great step by step php installation guide to get the newest version of php (this one is even recommanded by apple).
>> Had I been going to bed earlier every night? Have I been sleeping later? Has Tyler been in charge longer and l
I am a homosexual. I bought an Apple computer because of its well earned reputation for being "the" gay computer. Since I have become an Apple owner, I have been exposed to a whole new world of gay friends. It is really a pleasure to meet and compute with other homos such as myself. I plan on using my new Apple computer as a way to entice and recruit young schoolboys into the homosexual lifestyle; it would be so helpful if you could produce more software which would appeal to young boys. Thanks in advance.
with much gayness,
Father Randy O'Day, S.J.
The version they should upgrade to is 2.8.10, that fixes a buffer overlow that can be triggered through .htaccess files.
{{.sig}}
Yeah, people have all kinds of sexual preferences. The only thing we can say for sure is that nobody wants to have sex with nosy dorks. As proof I offer the parent poster.
A useless crapflood! Winter driving on roads and highways in the snowcapped mountains of California can be a pleasant adventure or it can be frustrating, tiring and sometimes even hazardous. The California Department of Transportation provides the following information to help make your mountain driving safe and pleasant. Before Heading for Snow Country: Make sure your brakes, windshield wipers, defroster, heater and exhaust system are in top condition. Check your antifreeze and be ready for colder temperatures. You may want to add special solvent to your windshield washer reservoir to prevent icing. Check your tires. Make sure they are properly inflated and the tread is in good condition. Always carry chains. Make sure they are the proper size for your tires and are in working order. You might want to take along a flashlight and chain repair links. Chains must be installed on the drive wheels. Make sure you know if your vehicle is front or rear wheel drive. Other suggested items to carry in your car are an ice scraper or commercial deicer, a broom for brushing snow off your car, a shovel to free you car if it is "snowed in", sand or burlap for traction if your wheels should become mired in snow and an old towel to clean your hands. It is also a good idea to take along water, food, warm blankets and extra clothing. A lengthy delay will make you glad you have them. Put an extra car key in you pocket. A number of motorists have locked themselves out of their cars when putting on chains and at ski areas. Driving Tips: Allow enough time. Trips to the mountains can take longer during winter that other times of the year, especially if you encounter storm conditions or icy roads. Get an early start and allow plenty of time to reach your destination. Keep your gas tank full. It may be necessary to change routes or turn back during a bad storm or you may be caught in a traffic delay. Keep windshield and windows clear. You may want to stop at a safe turnout to use a snow brush or scraper. Use the car defroster and a clean cloth to keep the windows free of fog. Slow down. a highway speed of 65 miles an hour may be safe in dry weather but an invitation for trouble on snow and ice. Snow and ice make stopping distances much longer, so keep your seat belt buckled and leave more distance between your vehicle and the vehicle ahead. Bridge decks and shady spots can be icy when other areas are not. Remember to avoid sudden stops and quick direction changes. Be more observant. Visibility is often limited in winter by weather conditions. Slow down and watch for other vehicles that have flashing lights, visibility may be so restricted during a storm that it is difficult to see the slow moving equipment. When stalled, stay with your vehicle and try to conserve fuel while maintaining warmth. Be alert to any possible exhaust or monoxide problems. Chain Requirements R1: Chains are required - snow tread tires allowed. R2: Chains are required on all vehicles except four wheel drive vehicles with snow tires on all four wheels. R3: Chains are required - all vehicles - no exceptions. R1 and R2 are the most common conditions. The highway is usually closed before an R3 condition is imposed. Chain Controls You must stop and put on chains when highway signs indicate chains are required. You can be cited by the California Highway Patrol and fined if you don't. You will usually have about a mile between "Chains Required" signs and the checkpoint to install your chains. Control areas can change rapidly from place to place because of changing weather and road conditions. The speed limit when chains are required is 25 or 30 miles an hour and will be posted along the highway. When you put on chains, wait until you can pull completely off the roadway to the right. Do not stop in a traffic lane where you will endanger yourself and block traffic. Chain Installers: If you use the services of a chain installer, be sure to get a receipt and jot the installer's badge number on it. Remember, chain installers are independent business people, not Caltrans employees. Having the badge number may help with any misunderstandings later. Chain installers are NOT allowed to sell or rent chains. When removing chains, drive beyond the signs reading "End of Chain Control" to a pull-off area where you can safely remove them.
Traffic on bugtraq the last few hours indicates there is now a worm in the wild exploiting the Apache chunked-encoding vulnerability. http://online.securityfocus.com/archive/1/279529/2 002-06-25/2002-07-01/0
I haven't seen this topic really ever brought up...
Linux and FreeBSD have been available for PPC for a while now, meaning that people could be running Macs as webservers. Although a very tiny percentage of the server population runs Mac webservers, these are mostly running enthusiast's webpages. The bottom line is, most serious webserving applications use Linux or FreeBSD or (gasp) IIS on PC's. (Also multi-CPU Unix servers, etc.)
My question is... why the small portion of webservers running on Apple? Is it because:
1) Apple computers represent a small portion of the computer market
2) Apple users generally run web servers
3) Apple computers suck at running web servers
4) Network admins don't like Apples
5) Some combination of the above
I'd be interesting in hearing some people's comments.
Cheers!
Well. Until recently there where no real hardware options for servers made by Apple. The XServe changes that. But at a price a lot of people that runs some random Linux webserver would never pay anyway.
Linux and BSD is pretty popular especially as 'free' webservers. You have a spare box (or get a new one cheap), hook it up with the lastes UNIX OS of your choice and run Apache. Cheap and stable.
For more serious shops they what things Apple is only getting around to now. And still why use Apple hardware for webservers if you can run almost the same webserver on a box from your usual dealer. That's why Mac shops use Apple hardware for webservers. It's confortable to use the same dealer for everything.
I guess your new to this whole computer security thing. If you don't understand the difference between how MS and redhat have reacted to security problems for the past 6 years, then I am not going to explain it to you.
If you wanna get rich, you know that payback is a bitch
Just look at versiontracker each day and you will be made aware of Apple updates too. Even if they are only available via Software Update.
Not entirely a waste. When a post goes down to -1, it doesn't get archived. Since all archives are done in flat view mode, any remaining junk messages are automatically visible and add noise to the dicussion you're trying to read through.
I know.. i know.. a unix/linux site. But interesting indeed how Microsoft got BASHED for releasing 3 VERY easy to install patches that aren't really exploited at this point, and EVERY unix that uses the apache, ssl, ssh combination previous to the listed versions is needing a repair as well.
can't we all just get a bong?
1. Repost every post from the previous MS security release thread here changing MS to Apple/Unix/Linux and vice versa.
2. ???
3. Profit!
Mmmm.. Donuts
it's not like this is open source or anything. IT's not like the users could get patches themselves from apache and install them.
I mean, if you want to rely on a vendor supplied package based on an open project, of COURSE there is going to be a lag.
I'd like to somewhat lessen the blows that I see against apple for it's not-so-quick release of the apache vulnerability patch. I think they should have released it faster, but at the same time I can see why they gave themselves some time to test it, and when the openssh vuln was revealed, some time to incorporate that into the same patch. There was no exploit released for OS X or anything on PPC arch that I could see. It just wasn't targeted. The worm that is out is for BSD, but it's x86 shellcode, so again, OS X is not affected. I think the worm is only FreeBSD as well. But anyway, what I'm saying is that they probably could have released it faster, but there wasn't really anything at risk unless you were being specifically targeted by someone other than a script kiddie who actually knew what he/she was doing.
Cheers,
-JD-
It was just yesterday macSlash posted an 'article' titled 'Will Apple Support It's Modern OS with Modern Security?' mostly slated to apple waits to long to release security patches and they will not acknowledge security problems until they provide a patch. an 'article' titled 'Will Apple Support It's Modern OS with Modern Security?' mostly slated to apple waits to long to release security patches and they will not acknowledge security problems until they provide a patch.
Scott Anguish has an article on stepwise.com that shows you how to build OpenSSH yourself. He also suggests that you use the Apple-supplied "nobody" account for the purposes of privilege separation, as well as doing so in his instructions.
I don't know if Apple configures their update similarly, but I'll bet they do.
Sapere aude!
Funny South Park reference...
There is no good reason for your sysadmin not to let you on the network - they are being overbearing and unprofessional. If they were professional and genuinely worried they would have blocked incoming ports to your host at the switch (or at worst - the gateway).
Like most other administrators I have to work with, it sounds like they are simply exhibit big ego's and little professionalisim (though I would not wish to jump to conclusions, it's most likely in my experience).
Apart from upgrading the SSH and Apache binaries yourself (I know I was too lazy and waited for Apple because I knew one was coming out) you could simply have disabled thoses services - after all they are disabled by default on Mac OS X.
Lastly, in response the origional poster, Apple's response was slower than I would have liked (as the OpenSSH one was disclosed to vendors like Apple ~10 days before it was announced) but timely and the fix was very elegant and appears to be bug free (clean install all round, no reboot required, etc).
Ehh, even if OS X is a *nix OS, most malicious little trolls are still quite unfamiliar with MacOS...
I don't think that they care whether it's MacOS or not. It's Apache or it's SSH -- they're familiar enough with those.
It makes more sense for Apple to simply release packages consisting of multiple minor security updates every three to six months.
You're trolling, right? You must be trolling. You really think that Apple should leave big, known, gaping holes unpatched for months on end? Check it, man, a week wasn't fast enough for a number of posters in this forum... if Apple let 3 months go by they'd be crucified, even if not a single mac was 'sploited
Most mac users would rather not have Software Update launch and pester them every week.
I don't know. I feel a frisson of excitement when SU has something new for me. Usually it means that something that was broken will soon be less broken, or better yet, there will be new functionality for me to enjoy. Granted the latest AirPort update was a major bust, but I'm all in favor of their rolling out the lastest bugfixes as soon as they've been thoroughly tested.
A couple points that were brought up that I'd like to address....
First, as to why Macs aren't common web servers, I think the main reasons are cost of the hardware, difficulty in maintaining/upgrading, and lack of expandability. Of course, Apple sort of addressed this with the XServe, but it's still a hell of a lot cheaper to buy, say, an Athlon based PC with Linux than a whole PowerMac.
Second, as to why people are bashing MS for security holes and praising Apple for fixing them, let's keep in mind Microsoft makes their own web server software. Apple is putting in place fixes to programs they did not create, so they need a little more time to get the details and make a fix. Having said that, I agree that Apple could be a bit quicker about it.
-Suffering Bastard (runs web, mail, mp3, and file serving off various OS X boxen)
"Molest me not with this pocket calculator stuff."
- Deep Thought
Redhat has about 70 or 80 advisories for RedHat 7.2 alone in 2002.
How can this be?
Trolls throughout history:
Jonathan Swift
Not trying to be a troll, but everyone keeps mentioning that Microsoft gets bashed for security updates while Apple doesn't. Why is this? Because Apple generally takes care of the problem with one or two fixes whereas M$ seems to continue introducing security bugs & holes with every patch. Almost every M$ program (and operating system) associated with internet access seems to have serious security holes, time and time again...Internet Exploder, Internet Information Server, MSN Messenger, Outlook Express, Entourage, Visual Basic, even Office apps....Shall I continue? For all the money that M$ brings in from sales, extortion, bribery, etc...you'd think they would hire the BEST programmers money could buy to write their software. But Oh, slap my fae, the current business model keeps the tech industry gainfully employed.
Why are all Macintosh users such feeble-minded homosexual poop-chute pounders? I mean, not one of them is smart enough to use a condom when they're going down on each other. And now they want us heterosexual Linux users to take them _seriously_??? I mean, "you cannot be serious" (John Mac-Enroe).
And another thing, is there anything more pathetic than a Fag-intosh user trying to convince his tiny little knob to stand up at attention when a nice, buxom beauty walks by, so the other guys in his gym class won't beat the living snot out of him because he's a fag?
The answer is no.
He also suggests that you use the Apple-supplied "nobody" account for the purposes of privilege separation, as well as doing so in his instructions.
If you run every non-privileged service (http, anon ftp, ntp, nntp, etc.) and partial service (ssh, mail, etc.) as the same non-privileged user, it defeats a lot of the purpose of the non-privilegedness. Even with chrooting, a process running as a non-root user can affect other processes that belong to the same user (e.g. send them signals). This is why vendors and sysadmins who know what they're doing create a different user for each service.
____________________
Change Log:
© 2002 Serial Troller. Permission to reproduce this document is granted provided that you send all the bukkake porn you can find to serialtroller@hotmail.com.
-- Linus Torvalds
not real familiar with bsd are ya? Here's a hint: It's the one that's not the cheap knockoff.....
Imagine a Beowolf Cluster of THESE!!!
While looking at the Apache setup in MacOS X, I decided to set up log analysis, and discovered that this security update implements Apache's rotatelogs. A minor upgrade, but a nice improvement that shows Apple is serious about their server platform. The (fairly) speedy response to ththe OpenSSH and Apache security holes also shows Apple is taking pains to do it right.
That trick is Metamucil. Sure, you've seen the ads, you've heard the pitch. But not until you've experienced the incredible pleasure of a Metamucil bowel movement, can you claim to have really lived. A Metamucil bowel movement is soft and full, yet remarkably resilient. It holds together. Better yet, its fibrous texture scrubs your colon walls, removing the accumulated sticky sludge of Snickers, Big Macs, and Ramen noodles.
Here's the trick: dissolve 2 or 3 tablespoons of Metamucil in a 10 ounce glass of water. Stir it and quickly chug it down. Follow by another glass of plain water without the Metamucil. Congratulations! You are well on your way to bowel movement Mecca. Tomorrow you will experience the pleasure of a full, cleansing bowel movement. No runs. No drips. No errors. You will enjoy a pleasant bowel movement which is as easy to clean up as it is to pass. A quick wipe with plain tissue, and no dirty skid marks. Metamucil--try it, you'll like it!
the hardware is more expensive for running a web server, and even if you are running it, ive found linux to be alot faster on the same hardware than os-X, not to mention the amount of memmory you save, portability problems, and much better filesystems (though it would be cool if you could use softupdates on os-X) anyway these would show up as linux or bsd so you wouldnt see it as a mac web server.
havnt tried bsd on a mac yet, but i have no reason to believe it wouldnt work just as well. the hardware is good a realiable, but you pay alot for it, and for stuff you wouldnt be using.
(like that geforce or radeon)
also, macs use more power than x86 boxen. look on the power supply. (this is true for the x-serve as well, 3 amps as opposed to the 2 than ibms rackmounts use) in the server room, this can add up quickly.
Apple's response time is as fast as Redhat's. That's pretty amazing, considering. Redhat should have been faster though. Although, Redhat's caution paid off in that the ssh vulnerability did not, apparently affect their systems.
The fact that Apple won't ship hardware accelerated graphics for the ATI chipsets just made it worse. Do you know what it feels like to spend $1400 and then find out two months later that your purchase won't support simple drawing features, like translucent menus which OS 10 is rampant with.
Cocoa is extremely cool, but developing with it did not warrant me to upgrade my Mac again 8 months later just to experience more dismal performance and a sore wallet. I'm not going to buy into their pump and dump solution to hardware.
Good bye Apple. My iBook was pretty cool, and I felt like part of the Apple community for the 8 months I had it - reading all the News sites daily in hope for some magic patch to make my hardware faster and OS X run better. It was nice reading about the Japanese kids that removed 200 screws and painted their iBook blue and overclocked it to 600Mhz. Ah well.
Flame on.. RIP iBook.
Pat
I was worried there for a second. My web programming team uses Atari ST computers using the Magic Sac mac emulator. Thank God a patch was made so quickly and my fortune 500 company is now safe again! Thank you Guy Kawasaki and Steve Wozniak!
I got confused with Mac OS X Server. rotatelogs was in Mac OS X Server before the July Security Update. You could turn it on and off with the Server Admin GUI.
I'm not sure when rotatelogs got added to regular Mac OS X. My mistake. I've only been working with Apache on X Server.
Am I the only one wondering where to download this? I have a MacOSX-box on our net, and I was searching desperately for a download earlier so I made a sigh of relief when this was announced here. (I firewalled out SSH last week.)
I googled for 'apple security update' but I still can't find anything, except for text describing some GUI auto-update stuff. The whole point of using a UNIX-like OS on this server would be to have low maintenance, so I expected to be able to SSH in and run some tool like 'dpkg' or 'rpm'.
I'd be happy for your assistance guys (or if this would get a mod point so my question is visible).
HAHA -- well, I see that I left the smiley out. Seeing as I am the admin, I can now let my machine back on the network running httpd and ssh. :)
:( Time for a rebuild on that one -- and a new hard drive. In the meantime, its web server is down -- which is unfortunate because that's my primary web server. :(
Disabling the services is exactly what I did. I used the SSH workaround and I disabled Apache. Now I can reenable it. Oh, and this particular machine is outside the firewall.
My Linux box is so customised that I can't install Apache with RPM. I don't even have the drive space to compile httpd.
i've been waiting for this update for some time, now i see all this talk about it, but when i run software update, it's not there. i viewed my update log and the last stuff was the applescript update, iPhoto, and iPod software updater, that's it. am i missing somthing?
Sticking it to the CLIT and pleasuring those MAC fags. Excellent work!
its free.
^
|
It doesn't look as though they enabled privsep at all. No UsePrivilegeSeparation in the sshd_config.