Not to mention that that flaw doesn't have a workaround. This one has a trivial workaround (not staying logged in as admin).
Having Chrome store your passwords is a choice just as staying logged in as admin is. I would definitely file that in the 'trivial workaround' category as well.
But if you always leave yourself logged in as admin, then this exploit doesn't gain anything. You have access to all the files on a default system running as admin, so why bother going through the process?
God dammit. Look up the difference between an admin account and root on OS X. They are *not* the same. Admin accounts do *not* have access to everything on the system.
Here, try this. Drag a file into the /System directory in the Finder while logged into an admin account. Did it let you do it without further authentication? No! Why you ask?
Becauseadmin is not the same as root.
The main difference between an admin and a limited account is not so much what you can access out of the box as it is the fact that with an admin account, you can escalate to root by entering a password, either using sudo or Auth Services. Without a password entry, you're not getting root access. Unless you use this exploit, of course, in which case you can go to town without any password at all. *That* is what the issue is about!
On *Windows* the admin accounts do have full access to everything (or at least they used to — I haven't used the newer Windows versions much, so maybe MS has fixed that by now. It was definitely that way in XP), but that's Windows. This is OS X. Different ball game, different rules. This was also one of the major security advantages that the Mac had over Windows. And now it's gone, until Apple fixes this, which they apparently could have done with an update that's been out since February. Argh.
God dammit. Look up the difference between an admin account and root on OS X. They are *not* the same. Admin accounts do *not* have access to everything on the system.
Here, try this. Drag a file into the /System directory in the Finder while logged into an admin account. Did it let you do it without further authentication? No! Why you ask?
Becauseadmin is not the same as root.
The main difference between an admin and a limited account is not so much what you can access out of the box as it is the fact that with an admin account, you can escalate to root by entering a password, either using sudo or Auth Services. Without a password entry, you're not getting root access. Unless you use this exploit, of course, in which case you can go to town without any password at all. *That* is what the issue is about!
On *Windows* the admin accounts do have full access to everything (or at least they used to — maybe MS has fixed that by now. It was definitely that way in XP), but that's Windows. This is OS X. Different ball game, different rules.
Yes, but you keep ignoring the way 99.99% of users set up their system - admin is the same password as root. So if they're logged in as admin, they simply SUDO and use THE SAME PASSWORD that they use every day to get access to every single file on the system.
Furthermore, your example is silly. Gaining access to the System files (which require root) isn't very exciting. It's all that nice juicy data in the user files that most hackers are going to want. And if you have admin access, you have all those files when there is no separate user account (the way most users use their system).
God dammit. Look up the difference between an admin account and root on OS X. They are *not* the same. Admin accounts do *not* have access to everything on the system.
Here, try this. Drag a file into the /System directory in the Finder while logged into an admin account. Did it let you do it without further authentication? No! Why you ask?
Becauseadmin is not the same as root.
The main difference between an admin and a limited account is not so much what you can access out of the box as it is the fact that with an admin account, you can escalate to root by entering a password, either using sudo or Auth Services. Without a password entry, you're not getting root access. Unless you use this exploit, of course, in which case you can go to town without any password at all. *That* is what the issue is about!
On *Windows* the admin accounts do have full access to everything (or at least they used to — maybe MS has fixed that by now. It was definitely that way in XP), but that's Windows. This is OS X. Different ball game, different rules.
Yes, but you keep ignoring the way 99.99% of users set up their system - admin is the same password as root. So if they're logged in as admin, they simply SUDO and use THE SAME PASSWORD that they use every day to get access to every single file on the system.
Furthermore, your example is silly. Gaining access to the System files (which require root) isn't very exciting. It's all that nice juicy data in the user files that most hackers are going to want. And if you have admin access, you have all those files when there is no separate user account (the way most users use their system).
That's still missing the main point - that this gets a user or application root privileges without even having to know an admin password. I'm not so worried about the user threat because it would require physical access or remote login (with an admin password), but this gives a malicious application (launched by an admin user) not just admin, but root privileges without any authentication requested. Once running as root it can harvest all the Keychain data for all users, without even knowing any admin passwords. In contrast, an application running admin privileges can't even get that for the account that launched it without further authentication.
And your peevish whinging is relevant to this topic...how?
I disagree with you, and you should be a little nicer to strangers.
That person has listed some complaints, and you apple fanatics need to understand that your god is not perfect and makes many mistakes.
And your peevish whinging is relevant to this topic...how?
I disagree with you, and you should be a little nicer to strangers.
That person has listed some complaints, and you apple fanatics need to understand that your god is not perfect and makes many mistakes.
No - that person attempted to hijack the thread with irrelevant, off-topic, complaints. And you appear to be declaring disagreement with a still-unanswered question. How can you disagree with a question?
On *Windows* the admin accounts do have full access to everything (or at least they used to — I haven't used the newer Windows versions much, so maybe MS has fixed that by now. It was definitely that way in XP), but that's Windows.
Windows admin accounts have run at less than maximum privileges since vista. To do anything requiring system level access you have to temporarily elevate privileges through the UAC prompt, even as an admin user.
If you have admin access, you have a password that you can use to SUDO, anyway. Very, very, very few people actually have multiple passwords and accounts on their machines. Every single person I know (with one exception) operates with a single password - and all their files are accessible at any time.
But the idea is that an app can call sudo and gain root privileges. Apple need to ask for a password to set the calendar programatically. Thats the fix.
(sudo can be updated too, of course, but that is not Apple's code really).
Yes, but you keep ignoring the way 99.99% of users set up their system - admin is the same password as root. So if they're logged in as admin, they simply SUDO and use THE SAME PASSWORD that they use every day to get access to every single file on the system.
But *you* entered that password. The applications on your system did not, and they do not know your admin password. For any of those applications to escalate to root privileges, they require *you* to enter the admin password. The applications can't do it silently, without your direct authorization to do so. Until now.
Furthermore, your example is silly. Gaining access to the System files (which require root) isn't very exciting. It's all that nice juicy data in the user files that most hackers are going to want. And if you have admin access, you have all those files when there is no separate user account (the way most users use their system).
The example was a quick-and-dirty way to give you practical proof that you do not indeed have full access to everything on the system. Most of the "good" stuff would be less convenient a test, since a lot of it's in locations that are hidden to the user. However, it's safe to say that *your* example is a bit silly, since *every* account, admin or not, has access to that account's own user files, so the only way *those* wouldn't be accessible would be if you weren't running in your own user account!
You want some real examples of what a malicious application can do with root privileges then? Okay, how about:
1. Like someone else already mentioned, this can grant malicious apps access to every Keychain on the system, from which attackers can get passwords to juicy things like:
Your online banking account
Your credit card account
Your AI account so they can make you look ignorant by posting clueless replies about how giving a malicious app root access isn't a problem
Your e-mail account, so the attacker can click the "Forgot Password" link for all your other accounts and reset all their passwords, giving the attacker access to *all* of them
2. More than the Keychain, with root access, you can actually access the VM swapfiles themselves, which theoretically can contain *anything* that's in memory, which could contain anything you've typed recently — including your admin password itself, or your credit card numbers if you've done any online shopping
3. With root, one can install malware in obscure nooks and crannies of the system such that you'll never be able to find it all and root it out without wiping your hard drive. Root can even modify the OS in such a way that it will prevent the files containing the malware from being shown to the user at all. In case you think malware isn't a threat, malware can include things like keyloggers which log everything your keyboard types and send it somewhere, which is sure to get all your passwords, credit card number, etc. Root can also install malware that runs on every user account, not just one of them.
4. You're probably thinking something like "Well, I've got Little Snitch, which would let me know if any malware app tried to phone home, and would prevent it!" With root access, you can silently disable things like Little Snitch without the user being any the wiser.
Seriously, if admin/root separation isn't that important, why aren't you holding up Windows XP as the paragon of security? Because lacking that separation worked so well there.
Comments
Quote:
Originally Posted by jragosta
Not to mention that that flaw doesn't have a workaround. This one has a trivial workaround (not staying logged in as admin).
Having Chrome store your passwords is a choice just as staying logged in as admin is. I would definitely file that in the 'trivial workaround' category as well.
Here, try this. Drag a file into the /System directory in the Finder while logged into an admin account. Did it let you do it without further authentication? No! Why you ask?
Becauseadmin is not the same as root.
The main difference between an admin and a limited account is not so much what you can access out of the box as it is the fact that with an admin account, you can escalate to root by entering a password, either using sudo or Auth Services. Without a password entry, you're not getting root access. Unless you use this exploit, of course, in which case you can go to town without any password at all. *That* is what the issue is about!
On *Windows* the admin accounts do have full access to everything (or at least they used to — I haven't used the newer Windows versions much, so maybe MS has fixed that by now. It was definitely that way in XP), but that's Windows. This is OS X. Different ball game, different rules. This was also one of the major security advantages that the Mac had over Windows. And now it's gone, until Apple fixes this, which they apparently could have done with an update that's been out since February. Argh.
Yes, but you keep ignoring the way 99.99% of users set up their system - admin is the same password as root. So if they're logged in as admin, they simply SUDO and use THE SAME PASSWORD that they use every day to get access to every single file on the system.
Furthermore, your example is silly. Gaining access to the System files (which require root) isn't very exciting. It's all that nice juicy data in the user files that most hackers are going to want. And if you have admin access, you have all those files when there is no separate user account (the way most users use their system).
Quote:
Originally Posted by jragosta
Quote:
Originally Posted by Durandal1707
God dammit. Look up the difference between an admin account and root on OS X. They are *not* the same. Admin accounts do *not* have access to everything on the system.
Here, try this. Drag a file into the /System directory in the Finder while logged into an admin account. Did it let you do it without further authentication? No! Why you ask?
Becauseadmin is not the same as root.
The main difference between an admin and a limited account is not so much what you can access out of the box as it is the fact that with an admin account, you can escalate to root by entering a password, either using sudo or Auth Services. Without a password entry, you're not getting root access. Unless you use this exploit, of course, in which case you can go to town without any password at all. *That* is what the issue is about!
On *Windows* the admin accounts do have full access to everything (or at least they used to — maybe MS has fixed that by now. It was definitely that way in XP), but that's Windows. This is OS X. Different ball game, different rules.
Yes, but you keep ignoring the way 99.99% of users set up their system - admin is the same password as root. So if they're logged in as admin, they simply SUDO and use THE SAME PASSWORD that they use every day to get access to every single file on the system.
Furthermore, your example is silly. Gaining access to the System files (which require root) isn't very exciting. It's all that nice juicy data in the user files that most hackers are going to want. And if you have admin access, you have all those files when there is no separate user account (the way most users use their system).
That's still missing the main point - that this gets a user or application root privileges without even having to know an admin password. I'm not so worried about the user threat because it would require physical access or remote login (with an admin password), but this gives a malicious application (launched by an admin user) not just admin, but root privileges without any authentication requested. Once running as root it can harvest all the Keychain data for all users, without even knowing any admin passwords. In contrast, an application running admin privileges can't even get that for the account that launched it without further authentication.
That person has listed some complaints, and you apple fanatics need to understand that your god is not perfect and makes many mistakes.
Quote:
Originally Posted by androidforme
Quote:
Originally Posted by NeilM
And your peevish whinging is relevant to this topic...how?
I disagree with you, and you should be a little nicer to strangers.
That person has listed some complaints, and you apple fanatics need to understand that your god is not perfect and makes many mistakes.
No - that person attempted to hijack the thread with irrelevant, off-topic, complaints. And you appear to be declaring disagreement with a still-unanswered question. How can you disagree with a question?
Quote:
Originally Posted by Durandal1707
On *Windows* the admin accounts do have full access to everything (or at least they used to — I haven't used the newer Windows versions much, so maybe MS has fixed that by now. It was definitely that way in XP), but that's Windows.
Windows admin accounts have run at less than maximum privileges since vista. To do anything requiring system level access you have to temporarily elevate privileges through the UAC prompt, even as an admin user.
Quote:
Originally Posted by jragosta
If you have admin access, you have a password that you can use to SUDO, anyway. Very, very, very few people actually have multiple passwords and accounts on their machines. Every single person I know (with one exception) operates with a single password - and all their files are accessible at any time.
But the idea is that an app can call sudo and gain root privileges. Apple need to ask for a password to set the calendar programatically. Thats the fix.
(sudo can be updated too, of course, but that is not Apple's code really).
The example was a quick-and-dirty way to give you practical proof that you do not indeed have full access to everything on the system. Most of the "good" stuff would be less convenient a test, since a lot of it's in locations that are hidden to the user. However, it's safe to say that *your* example is a bit silly, since *every* account, admin or not, has access to that account's own user files, so the only way *those* wouldn't be accessible would be if you weren't running in your own user account!
You want some real examples of what a malicious application can do with root privileges then? Okay, how about:
1. Like someone else already mentioned, this can grant malicious apps access to every Keychain on the system, from which attackers can get passwords to juicy things like:
2. More than the Keychain, with root access, you can actually access the VM swapfiles themselves, which theoretically can contain *anything* that's in memory, which could contain anything you've typed recently — including your admin password itself, or your credit card numbers if you've done any online shopping
3. With root, one can install malware in obscure nooks and crannies of the system such that you'll never be able to find it all and root it out without wiping your hard drive. Root can even modify the OS in such a way that it will prevent the files containing the malware from being shown to the user at all. In case you think malware isn't a threat, malware can include things like keyloggers which log everything your keyboard types and send it somewhere, which is sure to get all your passwords, credit card number, etc. Root can also install malware that runs on every user account, not just one of them.
4. You're probably thinking something like "Well, I've got Little Snitch, which would let me know if any malware app tried to phone home, and would prevent it!" With root access, you can silently disable things like Little Snitch without the user being any the wiser.
Seriously, if admin/root separation isn't that important, why aren't you holding up Windows XP as the paragon of security? Because lacking that separation worked so well there.
Now with better formatting. You need to add the following line to the /etc/sudoers to force a password prompt to be given at all times:
Defaults:ALL timestamp_timeout=0
Apple should make this a default IMO.
This stops this security problem.