Horrendous local-user security hole in 4k73


this is unbelievable.

in the later builds, the applemenu has returned.

from the login screen, if you click where the applemenu normally is (top left corner of the screen) it drops down even though there is no menubar on this screen.

the applemenu has an item for launching the 'System Preferences' ... when launched from the applemenu at the login screen on my machine (4k73) the System Preferences launched as root. let me repeat.


i was easily able to create an admin user for myself without ever actually authenticating myself to the system. i could then log in as my new user and do whatever i wished.

this is a GLARING security hole and i HOPE its existence is merely because this is a non-release build.


admittedly, few unix machines are safe from 'single user mode' style hacking by people who know what they are doing and are sitting physically in front of the machine... but this took NO unix skill at all. yikes again.

well. just thought i'd mention it.

** holding breath till March 24 **

Wow! That's a great one! Pretty obviously an oversight thought.

I am more concerned about a few other things that might just be intentional, perhaps someone with access to more recent builds can let me know...

Does "nidump passwd /" still give you access to crypt encoded passwords? Is the same information (and other sensitive info) still around in a world readable file at /var/backups/nidump.local?

When the screensaver is on, and a password lock is set, does cmd-opt-esc still let an arbitrary user quit apps that the logged on user is running?
Implementing read permissions in NetInfo would be nice, but I don't think Apple is going to do it. The source is available if you want to look at it. It's part of Darwin.

Are you "strobe anarkhos" of the devlists - saw the name on some netinfo security postings...
What about the possibility to start the computer holding the ALT button down to boot into the mode when seeing every possible startup disks?
When installed OS X and Classic you then get access to the OS9 startup disk in this mode.. just boot and you have full access in the disks..

I have the OS9 on another partition than OS X .. im not sure if this situation comin up when u have it on the same partition as OS X.. but should it be this easy to get full acess into the computer?
Uuh, if you're trying to make your mac secure enough that you can let people borrow it you're going to have to do a lot more than prevent people from booting MacOS. You would have to encrypt all your drives and load the kernel from a seperate partition with the ciphers compiled in. When the kernel is loaded it'll ask you for a passphrase to read your drives. You'll also need to send your machine through an MRI to make sure it hasn't been tampered, and also check the integrity of the kernel on your partition to make sure a dummy one wasn't installed.

And you would have to do it yourself because unless you're going to pay me, I'm not doing it.

Bottom line is if somebody is able to physically access your computer, well, what on earth do you expect Apple to do about it? Time to get a guard dog and a home security system |-p
Here is what I have done to my mac
I have a keylock on it...no key, no startup....
If you *can* start up I have I thumbprint ID..you fail it...
well... no computer.... further more, retinal scan soft/hardware to see if it is really you.

Then you need to supply a passphrase that is at least 100 characters long, with 3G encryption on it build in to the OS as an uncurruptable file, and then you need to speak a separate passphrase so that the mac can recognize you (again).

The computer has a time out timer set to 1 minute of inactvivity, oh and did I mention its 10 feet under in a secure vault protected by overhead laser intruder-detection-systems, and pressure sensetive floors? The room also requires 2 people with two destinct keys to open it, a pin and a swipe card.....

not even agent Ethan Hunt would be able to crack this baby!


PS: of course you all know I am joking :p