>> I agree. Just last week I finished remotely installing lynx only to >be confused as to why I could not access any websites. Of course LS was >blocking the new app. A command line interface to LS would have been >wonderful here. A script that requires root access should be enough and >only available as an option during install or from the PrefPane. >Require that the GUI specifically allow command line changes before >installing the script and beginning to accept changes. > . . . > >Wasn't there a recent security issue about root-access CLI'ish >stuff in OSX? (I'm being a little vague on purpose.) Maybe a >few months ago?
The most recent issues that I can remember are easily fixed. 1) Scripts that have the sticky bit set can be executed as the root user without authenticating. These are now "disabled" in X. Disabled in that OS X doesn't install any anymore and to my knowledge any scripts that have the bit set will have it unset by maintenance scripts. I'm hesitant to say that the OS doesn't support the sticky bit outright. Stickying scripts can be useful, but in general isn't a good idea. I wouldn't argue this to be used by LS. 2) sudo authentication is not limited to the tty it was initiated by and uses a long timeout. This allows other scripts to wait for sudo to be executed and then hijack that authentication by piggybacking on the authentication. It's difficult to call this an exploit because it is a configurable option that can be disabled (sudo applies to the current session only, and the timeout can be reduced to 0. ie. authenticate on every sudo request). This is probably a bad default configuration, but I still contend that the user who desires a command line interface to LS will also be the user who disables this sudo "hole". The are also ways to un-authenticate a sudo session, which could be added to the end of the LS script as a security measure. Those are the only to "exploits" that come to mind. -- -- arno s hautala /-\ [EMAIL PROTECTED] -- -- _______________________________________________ Littlesnitch-talk mailing list [email protected] http://at.obdev.at/mailman/listinfo/littlesnitch-talk
