Mac OS X Finder Grants Privileged Directory Access to Local Admin Users
|
|
SecurityTracker Alert ID: 1008278
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Updated: Dec 19 2003
|
Original Entry Date: Nov 22 2003
|
Impact: Modification of system information, Modification of user information
|
Version(s): OS X 10.3
|
Description: Santino Rizzo reported a vulnerability in Mac OS X in the Finder function. A local user with admin privileges (but not root privileges) can gain write access to the root-owned '/System/Library' directory and other directories.
[Editor's note: A user (James Reynolds) has reported that the behavior described below reflects the proper default operations of
the 'admin' user in Mac OS X. The user also reports that it is possible to manually edit the '/etc/authorization' list to provide
a more granular and restrictive level of access control to prohibit the behavior described below, if desired. As a result, this
alert will be deleted from our database shortly.]
It is reported that an authenticated user in the 'admin' group can authenticate
via Finder to write to the '/System/Library' directory which is owned by root. The directory permissions are 755 and the ownership
permissions are root user and wheel group, the report said.
If the admin group is removed from the sudoers list, a local user
can reportedly still gain this access.
The report indicated that Finder checks the '/etc/authorization' access control list for
the 'com.apple.desktopservices' rights, but does not find these rights in the list and so applies the 'default' rule, permitting
any admin user to have write access to the directory even though the admin group does not have write permissions.
A local admin
user can reportedly use the "Go To Folder.." command to gain write access to arbitrary directories on the target system.
The
vendor has reportedly been notified.
|
Impact: A local user in the 'admin' group can gain write access to arbitrary directories on the target system.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.apple.com/ (Links to External Site)
|
Cause: Access control error
|
Underlying OS: UNIX (Mac OS X)
|
OS Comments: 10.3
|
Reported By: Santino Rizzo <santino@adelphia.net>
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 20 Nov 2003 17:43:46 -0500
From: Santino Rizzo <santino@adelphia.net>
Subject: Finder authentication in Mac OS X 10.3 circumvents root file permissions
|
Vendor: Apple Computer
Target: Finder authentication in Mac OS X 10.3
If a user in the admin group tries to write to the /System/Library
directory, which has owner permissions of root:wheel and file
permissions of 755, they are presented with an authentication dialog
from the Finder. Upon authenticating as an admin they are given full
access to the directory, circumventing the root permissions. This
occurs even if the admin group is removed from the sudoers list.
The Finder is authenticating using the /etc/authorization control list.
The authorization right it is looking for is
'com.apple.desktopservices'. This right is not in the list so it is
falling back to the 'default' rule which allows any admin to be
authorized thus gaining write access even though the admin group does
not have write permissions and even if admin is not allowed to sudo.
If the "Go To Folder.." command is used, the admin user can gain write
access to any directory on the system including /private which belongs
to root.
|
|
