How a malformed installer package can crack Mac OS X. ⇒
18 September 2006, early afternoon
This is a post from my link log: If you click the title of this post you will be taken the web page I am discussing.
18 September 2006, early afternoon
This is a post from my link log: If you click the title of this post you will be taken the web page I am discussing.
That’s not really a security vulnerability. That’s more like “If you su to root, and then run a script that roots your computer, your computer can get rooted.” That’s a security issue with all computers.
That’s why you never run anything unless you know exactly what you’re running, or are willing to take the risk, or you’re running it in a snapshotted vm you don’t care about.
by Iluvitar on September 18 2006, 3:47 pm #
not exactly. the “admin” user in OS X is more analogous to a member of the “wheel” group in other Unixen.
Being a member of wheel on a linux box, you’d still need either the root pass to use ‘su’ or your pass to use ‘sudo’.
in this case, the Installer is executing root code simply because you’re a member of wheel.
And that’s wrong. Very, very wrong.
by Jeremy Derr on September 18 2006, 4:59 pm #
Exactly. Most people will expect to be prompted for a password when you install stuff that requires root access, but by the sounds of things, Apple’s installer lets you get around this if you have an Admin account. Anyway, being careful about where you get your software is important regardless of whether this vulnerability exists or not.
by ramanan on September 18 2006, 5:12 pm #