Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hack Mac OS X With Installer Packages

Posted by ryuzaki0 on from the why-not-to-run-as-admin dept.

nezmar writes, "MacGeekery has a short but insightful piece with examples on how to use a malformed Installer package (.pkg) on Mac OS X to 'insert user accounts with administrator rights and change root-owned system configuration or binary files without prompting the vast majority of Mac OS X users for a password of any kind.'" The article notes that this issue was brought up on the Apple Discussion Boards 6 weeks back and that it was noted there as a duplicate / known issue. It also gives as an example the installation of Parallels, the popular virtualization software, which uses the described technique, but not for nefarious purposes.

3 of 194 comments (clear)

  1. Well... by Anonymous Coward · · Score: 5, Insightful

    At the very least, until this is fixed, this is yet another reminder not to install things without knowing what they are.

  2. Hacking OS X? Hardly by morgan_greywolf · · Score: 5, Insightful

    You still have to install the package as an admin user. Lots of tools on Linux create admin user accounts without prompting for a password when run as root. The Debian Advanced Package Tool (APT), in fact, is one of them. It's perfectly possible to create a .deb package that sets up admin user accounts without prompting, as long as you are running as root. Does that mean you can hack Debian or Ubuntu with .deb packages?

    --
    My blog
    1. Re:Hacking OS X? Hardly by Wm_K · · Score: 5, Insightful
      I believe you misunderstand. sudo is a command that takes a user listed in the sudoers file and gives them root priviledges.

      Exactly! But when do you get root priviledges? Only after you give your password to sudo (either on the cli or in the installer). Before that point you have as much privileges as a ordinary user.

      The little thread started because cgenman said "OSX users run as admin by default" with which he seemed to imply that Mac OS X users run with root priviledges by default and therefor don't get prompted for a password. But this is not the case.

      I don't even think we're making a different point. My definition of admin is just more confusing I guess. You're indeed right that the default user is a user from the admin group, but my point is that even though the user might be an admin, he doesn't have root priviledges without giving a password first.