[fortepianissimo]

I just discovered that my /usr/local/bin has permission o+w (actually it's drwxrwxrwx)!! I'm not sure what's going on here, but it appears to me to be very wrong... on further inspection, there're other places with doors wide open too.

Has anyone discovered this? Or have a good explanation why Apple wants to do this? Thanx!

[butter71]

Originally posted by fortepianissimo:
I just discovered that my /usr/local/bin has permission o+w (actually it's drwxrwxrwx)!!

is /usr/local/bin created by any 10.x install?

something you installed might have created it. what's your (or root's) umask?

[fortepianissimo]

root umask gives 0022, which i think it's pretty normal.

in /usr/local/bin i have emacs for os x and mplayer installed there. do u think it's their installers somehow screwed up?

(but this didn't explain why there're other places where the permissions are wrong)

[fortepianissimo]

just to name a few other directories where the permissions are world-wide read/write/executable:

/System Folder
/Temporary Items (drwxrwxrwt)
/Volumes
/cores

... and various other installer log files under /.

bizzare.

[butter71]

/System Folder
/Temporary Items (drwxrwxrwt)
/Volumes
/cores

it's ok for these to be set the way they are.

/System Folder probably has to be world writable for classic apps (which have no concept of file permissions) to work correctly.

the permissions on /Temporary Items will only allow users to delete their own files. this mimics /tmp on most unix installations.

/Volumes is used for mounted filesystems. not sure if it needs to be world writable.

/cores is writable since it is the repository for core dumps from crashed apps.

the installer logs could be set that way on purpose by the installer. or maybe classic creates files 0777 by default? i don't have classic installed to test.

if you are paranoid, you could experiment with changing permissions on these directories. i'm not sure what all (if any) will lossage will result.

[fortepianissimo]

doh... just did a "chmod -R o-w /" before your post. I guess I' need to run a repair now.

But doesn't this mean OS X is an inherently insecure system? I mean any user can easily trash the system by either filling tons of garbage or deleting the entire directories?

[butter71]

But doesn't this mean OS X is an inherently insecure system? I mean any user can easily trash the system by either filling tons of garbage or deleting the entire directories?

i wouldn't say "inherently insecure"; i would classify it more as "not the most secure out of the box". the facilities are there to be as paranoid/trusting as you like.

users won't be able to delete the directories without having write permission in /.

as far as filling all your disk space -- in the default os x install, they could just do it using their home directory.

you could move user writable areas to a different partition that doesn't crash the system if it fills. there's also a quota system (man quota), but i'm not sure if it's fully implemented in os x client.

i imagine that some of the security tradeoffs are to help migrate os9 users and to support classic apps.