Slashdot Mirror


It's not a Feature, It's a Vulnerability!

pmeunier writes "Apple's security stance is stunning. In the latest (10.3.9) update, Apple removed two capabilities because they pose security risks. One of them is the capability to run setuid and setguid scripts (the other was actually unused). Can other commercial OS vendors (how many are there :) adopt a similar stance? Will you be inconvenienced by the inability to run setuid scripts on MacOS X? Which other features/capabilities (in any OS) would you like to have removed?"

4 of 180 comments (clear)

  1. Re:Answers by a11 · · Score: 0, Troll

    Informative? how about False!! The link mentions only one script exploit, and it's false. making a link called "-i" to a shell script does not start up an interactive shell. SUID scripts are no more a hole than any other program. bad code is bad code. this rumor is an ancient unix fairytail. take it from a real sysadmin.

  2. Re:Weight the trade off by Anonymous Coward · · Score: -1, Troll

    Your OS uses a fragile security model that can easily be shattered by things like allowing suid scripts. Other OSs that use similarly fragile security models learned years ago about the potential danger of this, and have removed the ability to run suid scripts from the OS.

    This article is about Apple realising that it needs to place another band-aid on a huge festering wound to keep it from oozing all over the place.

  3. Re:Companies warning to NOT install the upgrade by Anonymous Coward · · Score: -1, Troll

    You are an idiot and a liar.

  4. Re:Are you out of your mind? by a11 · · Score: 0, Troll

    again, ANCIENT fairytail. first, only in bourne. any posix shell will have things like buffer padding. and I'm sorry, how exactly are you going to exploit a buffer overflow in my -s shell script? Maybe if someone doen't know how to properly write a shell script. The fact that you refer to linux tells me that you don't deal with tier1 applications for large companies. linux is not even close to posix compliance and not nearly mature enough. In posix shells, there's a -s option - read up on what it does. all you people noting huge holes are yet to give a current, example where the script is not written in a bad way to allow the bug. I can have a suid c program to syscall argv. that doesn't mean suid should be banned. that means whoever wrote the bad code should be flipping burgers.