Slashdot Mirror


It's not a Feature, It's a Vulnerability!

pmeunier writes "Apple's security stance is stunning. In the latest (10.3.9) update, Apple removed two capabilities because they pose security risks. One of them is the capability to run setuid and setguid scripts (the other was actually unused). Can other commercial OS vendors (how many are there :) adopt a similar stance? Will you be inconvenienced by the inability to run setuid scripts on MacOS X? Which other features/capabilities (in any OS) would you like to have removed?"

6 of 180 comments (clear)

  1. Stunning? by Golias · · Score: 3, Insightful

    I guess I missed what was "stunning" about this.

    --

    Information wants to be anthropomorphized.

  2. Weight the trade off by amichalo · · Score: 3, Insightful

    It's all about looking at the trade off of system security vs. robustness. I don't know about SetUserID but if it makes my Mac less secure and doesn't allow my applications to do anything I need them to then shut 'er off.

    The OS is already built with abilities to SUDO applications so perhaps Apple will figure out a more secure way of implementing the SetUserID feature so as not to create a vulerability. If they have to have it, then it probably needs to a an Admin level tool anyway.

    --
    I only came here to do two things; kick some ass, and drink some beer...looks like we're almost out of beer.
  3. Re:Derrrrrr.... by EnronHaliburton2004 · · Score: 3, Insightful

    Now as an added bonus, look in your /bin directory and tell us which scripts have suid turned on. Now look for the suid bit on every file in your filesystem.

    It won't be very easy to find the programs without a 'find' command.

    Note that the only difference between a regular file and an suid-bit file is a teeny one-bit change-- there's an 's' instead of an 'x' or '-'. It's hard to see, and many people don't know it is when they see it.

    Is that the sort of 'needle in a haystack' obsfucation that introduces all sorts of security issues.

  4. Answers : yes, no, where to start? by javaxman · · Score: 3, Insightful
    Can other commercial OS vendors (how many are there :) adopt a similar stance?

    they do, clearly. There are just too many examples of features dropped between releases of operating systems to pick only one.

    Will you be inconvenienced by the inability to run setuid scripts on MacOS X?

    no. It was a mistake that the feature was ever included. You should SUID/SGID binaries, not text files or anything else. Scripts are not binaries.

    Which other features/capabilities (in any OS) would you like to have removed?

    Can I vote for eliminating the ability of any OS to create annoying, non-standards-supporting web pages that use too much Flash and/or Javascript ? Can I prevent any OS from sending out spam email ? Can I remove the ability of a compiled application to crash the machine? No? Too bad. In any given system, there are a lot of features that aren't really needed and can be either a source of confusion or a source of problems. Most of these shouldn't be in the OS layer, and ( like the SUID issue ) should be tightened up if they are in that layer.

    Fundamentally, though, the SUID/SGID thing referenced in the story is a non-issue. If I have console access, typing "sudo" and a password isn't even an inconvenience. It's already been pointed out that this feature has already been removed from almost every other major Un*x variant, including Linux.

  5. Re:Stunningly *stupid* by Anonymous Coward · · Score: 3, Insightful

    1. It's not an important feature.

    2. Even when it's used for what it's there for, it's being misused.

    3. No competent sysadmin counts on it being there. Ever.

    4. Most "real" flavors of *nix threw it away a long time ago.

    If Apple is open to criticism, it's for not chucking it sooner.

  6. Apple did not remove SUID/SGID on scripts by Cmdr+TECO · · Score: 5, Insightful

    Apple added a kernel switch for suid/sgid on scripts, and leave it off by default. If you want suid/sgid scripts on your system, enable them. If you don't think this comment has given you enough information to enable them, you shouldn't be running suid/sgid scripts.

    --
    echo 33676832766569823265328479713269.8639857989Pq | dc