Slashdot Mirror

← Back to Stories (view on slashdot.org)

It's not a Feature, It's a Vulnerability!

Posted by timothy on from the proactivation dept.

pmeunier writes "Apple's security stance is stunning. In the latest (10.3.9) update, Apple removed two capabilities because they pose security risks. One of them is the capability to run setuid and setguid scripts (the other was actually unused). Can other commercial OS vendors (how many are there :) adopt a similar stance? Will you be inconvenienced by the inability to run setuid scripts on MacOS X? Which other features/capabilities (in any OS) would you like to have removed?"

6 of 180 comments (clear)

  1. Please remove these ... by EnronHaliburton2004 · · Score: 3, Interesting
    Personally, I have had it with scripts which do dumb things as root, such as:
    bar='' ### Mysteriously null! !@#!@%
    FOO=/$bar
    rm -rf $FOO
    Or even something similar like this 'The engineer doesn't understand permissions' script:
    chmod -R 777 /
    Could you please remove those?

    Thank god for applications like Netapp, which keep a readily availble copy of most directories in '$PWD/.snapshot . This has saved my ass a dozen times...
    --
    94% of Repubs and 21% of Dems voted to renew the Patriot Act
  2. Derrrrrr.... by JHromadka · · Score: 4, Interesting

    Um, how about an explanation on what setuid and setguid actually does first, and then I'll tell you if I'm stunned.

    --
    "The objective of securing the safety of Americans from crime and terror has been achieved." -- John Ashcroft
  3. speaking of suid vulnerabilities by baryon351 · · Score: 3, Interesting

    Speaking of suid vulnerabilities, http://www.frsirt.com/exploits/20050123.fm-iSink.c .php is an exploit of the mrouter hole (an overflowable suid app in iSync) which allows local root access. Exploited in January, still unfixed in April.

    Severity of course depends on how your system is used.

  4. Re:Companies warning to NOT install the upgrade by sRev · · Score: 2, Interesting

    I've now installed the update on 3 of my macs. The only real issue so far has been that one machine needed it's printers reset. On a "more annyoing" note, the update added an insane number of unwanted bookmarks and bookmark folders to Safari (NY Times, Mac.com, Amazon, eBay, etc.). I can't remember this happening after the installation of previous Safari updates. I hope this isn't a new trend.

  5. Re:Stupid crap by ArbitraryConstant · · Score: 2, Interesting
    It doesn't prevent lazy programmers and administrators from misusing SUID.
    #include <errno.h>
    #include <stdio.h>
    #include <string.h>
    #include <unistd.h>

    #define SCRIPT_PATH "/usr/local/bin/whatever"

    int main (int argc, char *argv[]) {
    execv(SCRIPT_PATH, argv);

    fprintf("%s: could not execute \"%s\" (\"%s\")\n", argv[0], SCRIPT_PATH, strerror(errno));
    }
    --
    I rarely criticize things I don't care about.
  6. Re:Stunningly *stupid* by YOU+LIKEWISE+FAIL+IT · · Score: 3, Interesting
    so even though many sysadmins count on such things

    Bzzt. If you depend on such things, you should have your badge revoked. Setuid on scripts is a horrible hack, because the execution mechanism of shell scripts allows users to tinker with the internals of the suid resource.

    This should never, ever, ever be allowed.

    --
    One god, one market, one truth, one consumer.