# GIANT HUMONGOUS HOLE in mac os x security!!!



## solrac (Dec 17, 2002)

Login to a Mac OS X's user's account through windows file sharing on a PC....

Let's assume there are 2 users, one called "Administrator", and the other called "Guest". Guest has no priveledges, Adnimistrator has admin priveledges.

The PC in question is a Windows 2000 Pro box. It finds the mac in the "my network places / computers near me" window.

The PC user clicks on the mac's computer icon and enters the username "Guest", and its password... uh.. "guest".

The PC logs in fine. An explorer window opens up with this in the address bar:
\\Macintosh-computer\guest

All I have to do now, is change that to
\\Macintosh-computer\administrator

BOOM! I have access to the administrator's files, and I can even write to disk and delete things!!!    

And if I copy a file to the administrator, and try to open it as administrator, I can't! It belongs to "guest"!! It's retarded!!!

So basically, if you log in to ANY user account through windows, you automatically have access to ALL user accounts, including administrators!

Except for root (thank god). Root is not accessible, but only by a "path not found" error, not a "password incorrect" error. Very unsettling...

What do we do????


----------



## senne (Dec 17, 2002)

we call apple!


----------



## fryke (Dec 17, 2002)

Hmm... can you actually CHANGE admin's files or just read them and write new ones? Does the guest account belong to the same group as administrator? Are the administrator's files set to be group readable, the directories set to group writeable?


----------



## Jason (Dec 17, 2002)

you can set priveledges via samba though


----------



## solrac (Dec 17, 2002)

it doesn't matter!!!!!

If you try to access another user's files, you should be asked for a password!!!!

RIGHT????


----------



## Sogni (Dec 17, 2002)

Um...
I don't have a "guest" user on my Mac,
Checked Accounts from Prefs, checked NetInfo Manager, 'n checked /etc/passwd.
No "guest" account...


----------



## Sogni (Dec 17, 2002)

Since I have no "guest" account, I created a test account... did what you did and I can ONLY get the to root folder for that user, which only shows all the sub-folders - that's it! Nothing more! 

I can't browse through the sub-folders nor write files ("Unable to create the folder 'New Folder', Access is denied").

I do have two folders I can browse through, wich are "Sites" and "Scripts", because I have changed permissions on them previously.


```
drwx------   7 sogni  staff    238 Dec 17 09:50 Desktop
drwx------  16 sogni  staff    544 Dec 15 00:01 Documents
drwx------  32 sogni  staff   1088 Dec 15 23:57 Library
drwx------   5 sogni  staff    170 Dec 14 22:36 Movies
drwx------   6 sogni  staff    204 Dec 12 10:20 Music
drwx------  13 sogni  staff    442 Dec 12 13:14 Pictures
drwxr-xr-x   4 sogni  staff    136 Dec 11 21:29 Public
drwxrwxrwx  10 sogni  staff    340 Nov 24 14:02 Remote Connections
drwxrwxrwx   6 sogni  staff    204 Dec 12 10:50 Scripts
drwxr-xr-x  12 sogni  staff    408 Dec 12 10:20 Sites
```

You might want to fix your permissions so that the files can't be mucked with. As you can see, I make it a habit to NOT write anything to the root directory on my account, everything is inside of the other folders - that are well protected.


----------



## Sogni (Dec 17, 2002)

To fix your permissions, simply launch the Terminal App, and you'll automatically be placed in your root folder, so type this:


```
chmod u=rwx,g=,o= folder/
```
where "folder/" are the individual folders you don't want people having access to.

Also, if you don't want anyone AT ALL to access your user's folder, from the terminal simply do this:


```
cd /Users
chmod u=rwx,g=,o= user/
```
where "user/" is your user directory.

My folder now looks like this:

```
drwx------  27 sogni  staff    918 Dec 12 12:49 Applications
drwx------   7 sogni  staff    238 Dec 17 09:50 Desktop
drwx------  16 sogni  staff    544 Dec 15 00:01 Documents
drwx------  32 sogni  staff   1088 Dec 15 23:57 Library
drwx------   5 sogni  staff    170 Dec 14 22:36 Movies
drwx------   6 sogni  staff    204 Dec 12 10:20 Music
drwx------  13 sogni  staff    442 Dec 12 13:14 Pictures
drwxr-xr-x   4 sogni  staff    136 Dec 11 21:29 Public
drwx------  10 sogni  staff    340 Nov 24 14:02 Remote Connections
drwx------   6 sogni  staff    204 Dec 12 10:50 Scripts
drwx------  12 sogni  staff    408 Dec 12 10:20 Sites
```

And NO ONE can access my folder from another computer - BUT doing the 2nd command disables the ability to share files from the 'Public' folder, so only do the 2nd command if you REALLY want to keep everyone out.


----------



## Austin Powers (Dec 17, 2002)

Did someone say giant humongous hole? Oh my... better get that stiched up baby! Yeah!


----------



## solrac (Dec 17, 2002)

I was able to go beyond the root folder of the user account and even into the desktop!

My permissions are not bad, it's a fresh install of os x 10.2.2

So then the default permission setup allows anyone to browse any one else's files.... 

is this not a security hole???


----------



## Sogni (Dec 17, 2002)

> _Originally posted by solrac _
> *I was able to go beyond the root folder of the user account and even into the desktop!
> 
> My permissions are not bad, it's a fresh install of os x 10.2.2
> ...



Mine is a fresh install of Jaguar too (redone just a few days ago from the 10.2 CD)...
You got me there...


----------



## solrac (Dec 17, 2002)

hmmm.... I'll let this thread sit here for a few days but if no one knows anything further I better report this to Apple...


----------



## Sogni (Dec 17, 2002)

Hmmm... solrac, how did you install Jaguar? Fresh install (reinitialized harddrive) or an upgrade? Wonder if there is anything there...
Agreed either way, it should NOT be open like that by default nomater how installed.

Maybe people who are (re)installing Jaguar should let us know what their default User permissions are, and how they installed Jaguar - there might be something there...


----------



## solrac (Dec 17, 2002)

I did a fresh install - reinitialized hard drive.

Hmmm.... I did make a user called "Disks" and then went into netinfo utility and changed their home directory to '/Volumes', so that I could share my ipod with a windows computer by logging in as "Disks"... but I don't think that should do anything bad .... would it?


----------



## Urbansory (Dec 18, 2002)

Well i hope thats not true, although thats why i leave my computer off the campus network. I did plan on connecting so i can grab my audio files when in class, but I will try this on a few windows machines on our local network and see what i can get. I know you cab access guest by default if sharing is on, but i changed the privs so noone could place things in my drop box. But if this is true....let me go find out.


----------



## marz (Dec 19, 2002)

Could be that Windows cached your credentials from the iPod mapping and is using those credentials to browse since you say the Disks account had permissions to /Volumes??


----------



## fryke (Dec 19, 2002)

it's a shame Apple ever opened Windows' access to our superior computers. SMB sharing? Pfhh! Nothing but pure AppleTalk will ever talk to my computers besides TCP/IP.


----------



## sandsl (Dec 19, 2002)

This 'hole' isn't on my machine (Powerbook G4 800mhz). I have no guest access, but I do have multiple accounts. Using Windows, I can only login using the set usernames/passwords of each account user, and then only access the files for thom I am logged in as. Therefore I have no security concerns about Jaguar.

How many people are experiencing this problem? I think its a permission problem on a few machines, but could be wrong. The best solution is to test *your* individual setup with your Windows Network if you have any concerns & turn off guest access if it is of no use to you.

Remember that holes in Microsoft Windows are found monthly, if this does turn out to be a hole in Mac OS X, it is a rare occurance.


----------



## Mills (Dec 20, 2002)

er... I'm pretty sure this isn't a fault, I've been taking advantage of it for a while thinking it was the norm. I have my ~/music folder shared across the network at campus.

The windows users all have their own account, but, using your example, they just immediately open my home folder not their own folders, ie.  they try accessing smb://my.ip/my.user, when asked for their passwords and users they simply enter theirs. All their doing is simply reading that network share as opposed to their own. Either way, their accoutns still work.

 It should just be like them signing in directly at your computer. They should have read access to most of the computer, but they shouldn't be able to get read access to any of your folders deeper than your home directory unless it's your drop box or you've specified that they can. Just change the privildges and all should be fine.


----------



## solrac (Dec 20, 2002)

There's some confusion here. Everyone thinks I have some kind of special "guest" account. I don't. I just have a regular user account that happens to be named "guest".

Anyway, your smb://my,ip/my.user example to share the ~/music folder across the network is not a good example.

How about if someone accessed your music folder, could they also access ~/Desktop as well? And delete all your files? Or read all your files?

I never touched any of my permissions, they are at apple's factory settings and I don't know if I want to go around changing them...


----------



## sandsl (Dec 24, 2002)

>> I just have a regular user account that happens to be named "guest".
The name if the account is irrelevant, the importance is on the password. If the account doesn't have a password than anyone can login (duh). If you wanted to secure your system you would put a password on this account or remove it. I find it difficult to sympathize with you while YOU added a open 'guest' account and expect 100% security. 

>>I never touched any of my permissions
That doesn't mean they are apple's factory settings. Applications can (& have) changed permissions and there have been numberous reports of Installers which seem to mess up permissions.

Like I said, i'm not having the problem you've described. However you should report it to Apple is you still think its a big. In the mean time remove your 'guest' account or set a password for it even if its just 'guest'. So user/password would be 'guest'/'guest'. You may find that fixes your problems.


----------



## aaike (Dec 24, 2002)

I'm thinking that sharing /Volumes might not be such a good idea. If you would work with partitions, you would make these available/visible too... I think messing with NetInfo to do this isn't exactly the same as keeping factory settings.
I've never experienced a trouble when accessing my computer via Windows anyway.
But please let us know if you found out what is really wrong!


----------



## solrac (Dec 26, 2002)

no, my guest account does have a password!!! I didn't even know you could make an account with no password.

Anyway, I know of no other way to share my iPod via SMB other than that /Volumes hack I did.

Anyway, this is all a moot point since I downloaded 10.2.3 this problem no longer exists. Weird.....


----------



## fryke (Dec 26, 2002)

Well, let's say there's two options.

1) There WAS a giant security hole and Apple patched it with 10.2.3.

2) _Something_ was wrong (whatever the reason) with your permissions and/or SMB setup and 10.2.3 fixed it automatically.

Whatever the reasons, the problem seems solved now.


----------



## Vyper (Dec 26, 2002)

> _Originally posted by Austin Powers _
> *Did someone say giant humongous hole? Oh my... better get that stiched up baby! Yeah! *


Hey Ed.. have you ever contemplated banning somebody?

I wouldn't trust my Mac with a Windows person anyways ^_^


----------



## Austin Powers (Jan 4, 2003)

> _Originally posted by Vyper _
> *Hey Ed.. have you ever contemplated banning somebody? *



You don't work for Dr. Evil, do you man? I mean, when you come face to face with danger on a daily basis, a little humor goes a long way, especially when it comes to humongous holes... I mean really man, you could fit a watermellon in there!


----------



## Jason (Jan 4, 2003)

ive yet to see a serious post from you powers... you have a point here?


----------



## Jersey Turnpike (Jan 6, 2003)

Does your guest account have privileges to 'administer this computer'?

If so, that's the problem.


----------



## Orion (Jan 6, 2003)

just disable guest access in smb of your localhost.


----------



## solrac (Jan 6, 2003)

AHHHH THERE'S NO GUEST ACCESS!!!!!!!!!!!

FORGET I EVER SAID THE WORD GUEST

sheeesh


----------

