security hole?

aisikl

Registered
hello there

ever since i'm using Macosx, i've been ssh-ing in my home comp from work (i work in networking and it's very usefull to have a workstation in another domain to do tests from) -- anyway: i made sure that the connection is secure because a lot of classified data is going thru the lines --
until this happened:
today i was chatting with a friend -- i was explaining him why i liked macosx so much and as an example told him to ftp as visitor in my comp.
i did the same in the command line and didn't really notice anything odd until my friend told me to log in through a web browser - i did so in omniweb and to my utter astonishment and shock it showed me everthing: etc, var, usr, mach, mach.sys, mach_kernel (see attachment) --
i did the same in explorer and opera and there it didn't show me all the hidden system files --
can anybody please tell me how bad this is?

thanks

['aisikl]

ps: don't bother ftp'ing into my ip (it's dynamic and will have changed by the time you try it)
 

Attachments

  • ftp omniweb.gif
    ftp omniweb.gif
    62.2 KB · Views: 126
thanks for the quick reply --
this tip seems to do the trick ;-)

still, don't you think it's a bit weird that things like this aren't default --
i mean, i wasn't worried that this could possibly damage my system (since the user was restricted to his own directory anyway) but i thought it a bit weird that the different files and directories were visible --
anyway, thanks

['aisikl]

Ps: does a program like adduser exist for macosx?
 
I've just tried this, and it works for the FTP logins, but what about the SSH or Telnet logins? They can still access everything, and even see in some of my personal folders (just can't launch or change anything in them).

So is there an SSHChroot or something?

Thanks!
 
Be very careful indeed if you add an 'anonymous' ftp users. You almost certainly don't want to use the Users control panel - by default this will put the public user into the staff group, and give them a shell account, etc. This basically means (thanks to yet another brilliant Appleness) they can do the classic "nidump passwd ." or however that goes, and get a root/admin password for your comp with a little effort.

I'm pretty sure there is a separate procedure for adding anonymous ftp users, involving ftpd settings. Better to use niutil to specify exactly what settings you want for this user, making sure your anonymous user is a member of a no-privilege group, has a password of "*" (ie. nil, no shell login possible), a shell of something like /bin/false, and a home directory of /dev/null. Look around places like www.securemac.com for details...
 
about the fact that ssh-users can get into other user's folders:

all i did was a chmod 700 on every folder in the Users Directory. That way user Jef can't look into user Bob's folder. I 'protected' each and every Folder in the Applications, System and LIbrary directory in the same way but didn't touch bin, sbin, var, etc and so on, simply because i always thought that as a terminal user you're supposed to see and use this ;)

i still think though that it's rather stupid that users created through Sys Pref belong to staff. Let's hope this is simply to make a difference between Mac OS X and Mac OS X Server software....
 
How do you change the group a user belong to ?

in netinfo, I created a "ftp" group, gave it an unused gid ( 500 ) and set passwd to * and then changed my ftp user gid property to 500.

is there more I have to do cause even after reboot, my ftp user still belong the the old group
 
If you only want you yourself to have legitimate access to your OS X box, you might want to use the built-in firewall to block all incoming ports over the ethernet interface except for port 22 (ssh).

Then if you really wanted to http or something into your computer you could use ssh's port tunnelling.

You can also use scp to get whatever files you need.

-Rob
 
Back
Top