MacNN Forums (http://forums.macnn.com/)
-   Classic Macs and Mac OS (http://forums.macnn.com/classic-macs-and-mac-os/)
-   -   Found a serious flaw in os9 "security" (http://forums.macnn.com/64/classic-macs-and-mac-os/47273/found-a-serious-flaw-os9-security/)

 
billybob Oct 28, 1999 09:14 PM
Found a serious flaw in os9 "security"
I really like the mutli user option of os9, but I found something that seriously needs to be addressed. There's the option to "lock the screen" after a user-defined amount of inactivity (I have mine set at 15 minutes). The lock up screen that comes up after the defined time asks you to enter your password or logout. However, if you happen to have an application open that has an unsaved document, like a word processor for example, then problems arise, especially if there are files on your computer that you DONT want others to see.
When the lockout screen comes up, and you hit logout, if you have "unsaved documents" opened, when os9 tries to quit those applications to logout, it asks you if you want to save changes. If you simply click the "cancel" button, the application will NOT quit and the user will NOT be logged out. The person who is on the computer then has access to use the account that is currently logged in, and do whatever they want on the computer. That sucks!
I generally don't leave unsaved documents open (im one of those "constant savers" who presses command-s after every change, its just habit), but I DO use a telnet program called NiftyTelnet (very superior to ncsa telnet) for email purposes mainly. When you press command-q to quit out, nifty telnet asks you if you're sure you want to quit because you have sessions open, and unfortunateley (as far as i can tell) there's no way to turn this option off. But thats MY problem. That's the main reason I'm concerned about this. But I think other's should be just as concerned.
billybob
 
Takeo Oct 29, 1999 01:52 PM
But anytime you are away from your computer, anyone can do whatever they want. What about those 15 minutes that you are away from your computer? Isn't your computer free game during that time? The best thing to do is simply save all unsaved documents and manually log out whevever you leave the computer. I think it would be more annoying to lose my work as the result of an auto-logout! That would really suck!
 
wlonh Oct 29, 1999 03:29 PM
 
billybob Oct 29, 1999 03:43 PM
Takeo - Yah, those 15 minutes also count. What os9 needs is a way to lock the screen when you want to. For example, hitting command-control-L would lock the screen instantly instead of waiting for 15 minutes or whatever. The thing about this security issue is I don't think a whole lot of people would actually hit "cancel" unless they knew that it would abort the application from quiting. I myself discovered this many years ago when you could pick "shut down" from the special menu, and any app that opened a dialog box could stop the computer from shutting down if you hit cancel.

The reason I usually wouldnt log out when i leave my computer is that I usually have atleast 5 or 6 apps open all the time and it's annoying to set the computer back up to how I like it. I just hope that apple fixes this in 9.1 or whatever.
 
typoon Oct 29, 1999 04:56 PM
Maybe there is a good Resedit for this problem
 
Takeo Oct 29, 1999 11:22 PM
billybob...

I just read about this issue in more detail. I thought you were refering to the ability to cancel an auto-log out by hitting cancel in a file save dialog box (if there are unsave documents).... but from what I have read... you are not actually logged out by this auto-lock feature... the screen is just password protected and you can get in by hitting "logout" and then hitting cancel in a file save dialog box (if there are unsave documents). That does actually kind of suck. But as you say, it may be part of the OS. I often cancel shutdowns (similar to a logout) by quickly launching an app or taking advantage of a file save dialog box that might pop up. Perhaps the logout button should not even be an option with the "password protect after 'n' minutes" feature. You should have to enter the password to get back to the Finder and logout... But that could be a problem in a student lab where someone leaves a comptuer without loging out. Anyway, I'm rambling. I guess ultimately the thing is that the multi-users feature in MacOS 9 is more of a personalization feature than a security feature.
 
hayesk Nov 1, 1999 09:54 AM
I don't think that feature was ever designed with tight security in mind. Considering, you can boot from another drive and see the contents of the drive anyway makes this a moot point.

If you want to keep info safe, encrypt it or use a third-party multi-user package with security.

The odd thing is that MacOS 9's multi-user feature is based on At Ease, which had better security.
 
GeneT Nov 3, 1999 01:16 PM
A question I'd like to ask is whether or not people who have seen this problem have noticed that approx 10 seconds after the Cancel button was hit, the application should be, once more, prompted to quit. In effect, once the logout starts, it will try really hard to complete, but not at the expense of tossing any unsaved work. Yes, I am aware that there is this 10 seconds or more where you might be able to do some malicious damage to the system or the unsaved document (and I do agree that it's an issue), but are some people not seeing the subsequent application quit dialogs?
 
billybob Nov 3, 1999 05:39 PM
GeneT:
When I first discovered this "issue," I tested it out several times. I never noticed any subsequent quit-attempts on my computer. I dont have macos9 final, I have os9 final candidate 9, which as far as I know, is the one that went golden master, so it is essentially the final version. Maybe they changed this in the actual final version? Who knows.

But if you managed to get into someone's computer this way, you would probably just hide the application anyways. Leave it in the backround, os9 can tell it quit all it wants, but it's not going to affect anything you're doing.
 
All times are GMT -4. The time now is 01:39 PM.

Copyright © 2005-2007 MacNN. All rights reserved.
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2014, vBulletin Solutions, Inc.


Content Relevant URLs by vBSEO 3.3.2