Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hack Mac OS X With Installer Packages

Posted by ryuzaki0 on from the why-not-to-run-as-admin dept.

nezmar writes, "MacGeekery has a short but insightful piece with examples on how to use a malformed Installer package (.pkg) on Mac OS X to 'insert user accounts with administrator rights and change root-owned system configuration or binary files without prompting the vast majority of Mac OS X users for a password of any kind.'" The article notes that this issue was brought up on the Apple Discussion Boards 6 weeks back and that it was noted there as a duplicate / known issue. It also gives as an example the installation of Parallels, the popular virtualization software, which uses the described technique, but not for nefarious purposes.

5 of 194 comments (clear)

  1. Well... by Anonymous Coward · · Score: 5, Insightful

    At the very least, until this is fixed, this is yet another reminder not to install things without knowing what they are.

  2. Hacking OS X? Hardly by morgan_greywolf · · Score: 5, Insightful

    You still have to install the package as an admin user. Lots of tools on Linux create admin user accounts without prompting for a password when run as root. The Debian Advanced Package Tool (APT), in fact, is one of them. It's perfectly possible to create a .deb package that sets up admin user accounts without prompting, as long as you are running as root. Does that mean you can hack Debian or Ubuntu with .deb packages?

    --
    My blog
    1. Re:Hacking OS X? Hardly by Wm_K · · Score: 5, Insightful
      I believe you misunderstand. sudo is a command that takes a user listed in the sudoers file and gives them root priviledges.

      Exactly! But when do you get root priviledges? Only after you give your password to sudo (either on the cli or in the installer). Before that point you have as much privileges as a ordinary user.

      The little thread started because cgenman said "OSX users run as admin by default" with which he seemed to imply that Mac OS X users run with root priviledges by default and therefor don't get prompted for a password. But this is not the case.

      I don't even think we're making a different point. My definition of admin is just more confusing I guess. You're indeed right that the default user is a user from the admin group, but my point is that even though the user might be an admin, he doesn't have root priviledges without giving a password first.

  3. So, in summation by banky · · Score: 4, Insightful

    1. If you're sitting at the box, you might be able to 0wnz0r it. Same as for Linux, BSD, and Windows.
    2. Regular folk should only install software from reasonably trusted sources.

    I would assume that second point would be clear, given 10 years of watching Windows users open every last attachment that arrives in their inbox, while we sit at our Macs and laugh, but something tells me, probably not.

    --
    ZOMG I WOULD LOVE TO KNOW ABOUT YOUR FEELINGS ON MACINTOSH VERSUS WINDOWS, VI VERSUS EMACS, AND HOW YOU'RE NOT A DORK
  4. Seems nobody really got it. by l0ne · · Score: 4, Insightful

    Admin user in OS X are regular users on the admin group. The default setup creates an admin user. Installer.app allows PKGs run by admin TO RUN AS ROOT AND WRITE ON ROOT:WHEEL OWNED FILES WITHOUT A PASSWORD PROMPT. It's more-or-less OK for admins to write to /Applications. It's not to change /etc/sudoers or similar nefarious things without a prompt.