GIANT HUMONGOUS HOLE in mac os x security!!!

**solrac** · December 17th, 2002, 02:16 AM

Login to a Mac OS X's user's account through windows file sharing on a PC....

Let's assume there are 2 users, one called "Administrator", and the other called "Guest". Guest has no priveledges, Adnimistrator has admin priveledges.

The PC in question is a Windows 2000 Pro box. It finds the mac in the "my network places / computers near me" window.

The PC user clicks on the mac's computer icon and enters the username "Guest", and its password... uh.. "guest".

The PC logs in fine. An explorer window opens up with this in the address bar:
\\Macintosh-computer\guest

All I have to do now, is change that to
\\Macintosh-computer\administrator

BOOM! I have access to the administrator's files, and I can even write to disk and delete things!!!

And if I copy a file to the administrator, and try to open it as administrator, I can't! It belongs to "guest"!! It's retarded!!!

So basically, if you log in to ANY user account through windows, you automatically have access to ALL user accounts, including administrators!

Except for root (thank god). Root is not accessible, but only by a "path not found" error, not a "password incorrect" error. Very unsettling...

What do we do????

**senne** · December 17th, 2002, 06:32 AM

we call apple!

**fryke** · December 17th, 2002, 07:02 AM

Hmm... can you actually CHANGE admin's files or just read them and write new ones? Does the guest account belong to the same group as administrator? Are the administrator's files set to be group readable, the directories set to group writeable?

**Jason** · December 17th, 2002, 11:28 AM

you can set priveledges via samba though

**solrac** · December 17th, 2002, 11:47 AM

it doesn't matter!!!!!

If you try to access another user's files, you should be asked for a password!!!!

RIGHT????

**Sogni** · December 17th, 2002, 12:06 PM

Um...
I don't have a "guest" user on my Mac,
Checked Accounts from Prefs, checked NetInfo Manager, 'n checked /etc/passwd.
No "guest" account...

**Sogni** · December 17th, 2002, 12:13 PM

Since I have no "guest" account, I created a test account... did what you did and I can ONLY get the to root folder for that user, which only shows all the sub-folders - that's it! Nothing more!

I can't browse through the sub-folders nor write files ("Unable to create the folder 'New Folder', Access is denied").

I do have two folders I can browse through, wich are "Sites" and "Scripts", because I have changed permissions on them previously.

Code:

drwx------   7 sogni  staff    238 Dec 17 09:50 Desktop
drwx------  16 sogni  staff    544 Dec 15 00:01 Documents
drwx------  32 sogni  staff   1088 Dec 15 23:57 Library
drwx------   5 sogni  staff    170 Dec 14 22:36 Movies
drwx------   6 sogni  staff    204 Dec 12 10:20 Music
drwx------  13 sogni  staff    442 Dec 12 13:14 Pictures
drwxr-xr-x   4 sogni  staff    136 Dec 11 21:29 Public
drwxrwxrwx  10 sogni  staff    340 Nov 24 14:02 Remote Connections
drwxrwxrwx   6 sogni  staff    204 Dec 12 10:50 Scripts
drwxr-xr-x  12 sogni  staff    408 Dec 12 10:20 Sites

You might want to fix your permissions so that the files can't be mucked with. As you can see, I make it a habit to NOT write anything to the root directory on my account, everything is inside of the other folders - that are well protected.

**Sogni** · December 17th, 2002, 12:25 PM

To fix your permissions, simply launch the Terminal App, and you'll automatically be placed in your root folder, so type this:

Code:

chmod u=rwx,g=,o= folder/

where "folder/" are the individual folders you don't want people having access to.

Also, if you don't want anyone AT ALL to access your user's folder, from the terminal simply do this:

Code:

cd /Users
chmod u=rwx,g=,o= user/

where "user/" is your user directory.

My folder now looks like this:

Code:

drwx------  27 sogni  staff    918 Dec 12 12:49 Applications
drwx------   7 sogni  staff    238 Dec 17 09:50 Desktop
drwx------  16 sogni  staff    544 Dec 15 00:01 Documents
drwx------  32 sogni  staff   1088 Dec 15 23:57 Library
drwx------   5 sogni  staff    170 Dec 14 22:36 Movies
drwx------   6 sogni  staff    204 Dec 12 10:20 Music
drwx------  13 sogni  staff    442 Dec 12 13:14 Pictures
drwxr-xr-x   4 sogni  staff    136 Dec 11 21:29 Public
drwx------  10 sogni  staff    340 Nov 24 14:02 Remote Connections
drwx------   6 sogni  staff    204 Dec 12 10:50 Scripts
drwx------  12 sogni  staff    408 Dec 12 10:20 Sites

And NO ONE can access my folder from another computer - BUT doing the 2nd command disables the ability to share files from the 'Public' folder, so only do the 2nd command if you REALLY want to keep everyone out. :P