|
|
Fugu seems to (almost) totally compromise security on my Mac
|
|
|
|
Mac Enthusiast
Join Date: May 2001
Status:
Offline
|
|
Hi,
I'm a bit spooked by this... I'm hoping I'm being daft about something...
This is what I did:
I enabled 'Remote Login' on my computer.
I downloaded Fugu from < http://rsug.itd.umich.edu/software/fugu/>
I set up a new account which I called 'Fugu', with the password 'fugutest'.
I gave this account very strict limitations: Under the 'Limitations' tab I selected 'simple finder', I allowed Fugu to be the *only* application to be used.
I then logged in to the fugu account using fast user switching in Panther. I was still loged in to my admin account.
I launched Fugu and logged into my own account (the fugu account that is) running on 192.168.0.2, which is the internal ip address of my computer. Localhost will probably work as well.
I now find that I have full access to anything in the desktop folder of any account on the computer! I can copy any docs from any desktop folder in to my documents folder. I cannot reach any further down than the desktop.
Furthermore, I have unrestricted access to the root of the machine and can copy any application or document there.
WTF is up with this!
Please tell me I'm crazy... It can't be right that I can do this.
(Waiting for someone to make me look very stupid...)
Simon
|
|
|
|
|
|
|
|
|
Mac Enthusiast
Join Date: Dec 2000
Location: Germany
Status:
Offline
|
|
It's not fugu that compromises your computer security - it's you.
You enabled ssh terminal log in and sFTP access for the entire computer.
That's the purpose of remote login.
Fugu is an application to use that feature you enabled. If you log in as an other user, let's say as an admin user, you will have all the privileges that user has.
|
|
|
|
|
|
|
|
|
Mac Enthusiast
Join Date: May 2001
Status:
Offline
|
|
Originally posted by Zadian:
It's not fugu that compromises your computer security - it's you.
You enabled ssh terminal log in and sFTP access for the entire computer.
That's the purpose of remote login.
Fugu is an application to use that feature you enabled. If you log in as an other user, let's say as an admin user, you will have all the privileges that user has.
Zadian,
So If I had logged out of the admin account, the Fugu account wouldnt be able to reach in to the computer the way it did?
Simon
|
|
|
|
|
|
|
|
|
Mac Enthusiast
Join Date: Dec 2001
Status:
Offline
|
|
If you log in to your admin account with ssh or fugu from the Fugu account, you should be able to access anything your admin account can access. However, that shouldn't include the desktops of other users, in general. (Unless the default permissions of 10.3 are different than 10.2).
|
|
|
|
|
|
|
|
|
Mac Enthusiast
Join Date: May 2001
Status:
Offline
|
|
Originally posted by nickm:
If you log in to your admin account with ssh or fugu from the Fugu account, you should be able to access anything your admin account can access. However, that shouldn't include the desktops of other users, in general. (Unless the default permissions of 10.3 are different than 10.2).
nickm,
Thanks for your response.
I still don't get this and I'm wondering if I didn't cloud the waters by calling the User account 'Fugu'...
Let's say I'm the admin of the box.
I set up a new account for you called 'nickm'.
The only application you are allowed to use is Fugu. You are basically the *least* trusted user on the box.
You now log in to your account on the box, launch Fugu and tell it to loop back and log in to your own account, 'nickm', because that's the only account you have a username/passord for.
Now you have access to *my* desktop!
This I don't get...
Simon
|
|
|
|
|
|
|
|
|
Dedicated MacNNer
Join Date: Aug 2001
Status:
Offline
|
|
Originally posted by simonmartin:
nickm,
Thanks for your response.
I still don't get this and I'm wondering if I didn't cloud the waters by calling the User account 'Fugu'...
Let's say I'm the admin of the box.
I set up a new account for you called 'nickm'.
The only application you are allowed to use is Fugu. You are basically the *least* trusted user on the box.
You now log in to your account on the box, launch Fugu and tell it to loop back and log in to your own account, 'nickm', because that's the only account you have a username/passord for.
Now you have access to *my* desktop!
This I don't get...
Simon
This is NOT a fugu issue.
I'm not sure why you're surprised. Permissions for home directory allow everyone read access.
[foobar@foobaz foobar]$ ls -ld /Users/foobar ~/Desktop/
drwxr-xr-x 99 foobar staff 3366 Dec 10 20:03 /Users/foobar
drwxr-xr-x 67 foobar staff 2278 Dec 10 21:00 /Users/foobar/Desktop/
This is the way it is on several OS X machines I've checked.
|
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Apr 2001
Location: Asheville, NC
Status:
Offline
|
|
In the terminal, type:
ls -al ~/Desktop
The left of the second line from the top lists the permissions of your desktop. If it says:
drwxr-xr-x
Then anyone will be able to read your desktop directory. To fix this, as the non-fugu user, type:
chmod 700 ~/Desktop
This should change that line to
drwx------
which means that no one but you will be able to read that directory.
It might be a good idea to read the man page on chmod.
|
ACSA 10.4/10.3, ACTC 10.3, ACHDS 10.3
|
|
|
|
|
|
|
|
Posting Junkie
Join Date: Dec 2000
Status:
Offline
|
|
Open Disk Utility, and do a Repair Permissions. At the very least, this should take care of all users having write access to the root of your drive.
|
|
|
|
|
|
|
|
|
Mac Enthusiast
Join Date: May 2001
Status:
Offline
|
|
Originally posted by BatmanPPC:
This is NOT a fugu issue.
I'm not sure why you're surprised. Permissions for home directory allow everyone read access.
This is the way it is on several OS X machines I've checked.
BatmanPPC,
Well, on my machine, if I try to access the desktop of another account through the *Finder* I get blocked with a permissions error.
I *can* access the very same desktop through Fugu.
I have to say you guys are taking this a lot better than me... :-)
Simon
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Dec 2001
Location: Atlanta, GA, USA
Status:
Offline
|
|
Originally posted by simonmartin:
BatmanPPC,
Well, on my machine, if I try to access the desktop of another account through the *Finder* I get blocked with a permissions error.
I *can* access the very same desktop through Fugu.
I have to say you guys are taking this a lot better than me... :-)
Simon
Open a terminal. Type this:
Code:
cd /Users/ && for user in `ls`; do if [ "$user" != "Shared" ]; then sudo chmod -R go-rx "$user"; fi; done
That should fix it. It will ask for your admin password one time. This will fix all user files and directories to only be readable or executable by the owner.
|
Mac Pro 2x 2.66 GHz Dual core, Apple TV 160GB, two Windows XP PCs
|
|
|
|
|
|
|
|
Junior Member
Join Date: Nov 2003
Status:
Offline
|
|
Originally posted by simonmartin:
BatmanPPC,
Well, on my machine, if I try to access the desktop of another account through the *Finder* I get blocked with a permissions error.
I *can* access the very same desktop through Fugu.
I have to say you guys are taking this a lot better than me... :-)
Simon
We're taking it better because we don't believe that Fugu is doing anything magical or special here. Rather, we think your permissions are screwed up in a way that affects the Finder but not Fugu.
Try it in the Terminal -- fast-switch over to your 'fugu' user, and fire up Terminal.
then:
cd /Users/simonmartin/
ls -l
copy and paste the results here (wrapped in [ CODE ] tag)
|
|
|
|
|
|
|
|
|
Mac Enthusiast
Join Date: May 2001
Status:
Offline
|
|
Originally posted by chaldean oracle:
We're taking it better because we don't believe that Fugu is doing anything magical or special here. Rather, we think your permissions are screwed up in a way that affects the Finder but not Fugu.
Try it in the Terminal -- fast-switch over to your 'fugu' user, and fire up Terminal.
then:
cd /Users/simonmartin/
ls -l
copy and paste the results here (wrapped in [ CODE ] tag)
chaldean oracle,
Hope this is what you mean...
This is directly after repairing permissions. I found that Fugu can even access my webDAV folder without being asked for a password.
Code:
drwxr-x--- 3 simon staff 102 15 Nov 08:31 Applications
drwxr-xr-x 28 simon staff 952 11 Dec 10:31 Desktop
drwxrwx--- 9 simon staff 306 15 Nov 08:31 Dockthing
drwxrwx--- 79 simon staff 2686 8 Dec 23:01 Documents
drwxrwx--- 22 simon staff 748 11 Dec 10:27 Expander
-rw-r--r-- 1 simon staff 0 7 Sep 19:03 IDE
drwxrwx--- 27 simon staff 918 15 Nov 08:33 Kate
drwxrwx--- 54 simon staff 1836 5 Dec 21:43 Library
-rw-r--r-- 1 simon staff 0 26 Aug 22:53 MME
drwxrwx--- 6 simon staff 204 15 Nov 08:33 Movies
drwxrwx--- 16 simon staff 544 15 Nov 08:33 Music
-rw-rw---- 1 simon staff 192 30 Jan 2003 OpenOffice.org_1.0.1.2_Final_Beta_InstallLog.log
drwxrwxr-x 16 simon staff 544 15 Nov 08:33 Pictures
drwxrwx--- 6 simon staff 204 28 Nov 20:13 Public
drwxrwxrw- 16 simon staff 544 15 Nov 08:33 Shared
drwxrwxr-x 11 simon staff 374 23 Mar 2003 Sites
drwxrwxr-x 19 simon staff 646 15 Nov 08:33 Web Sites
|
|
|
|
|
|
|
|
|
Mac Enthusiast
Join Date: May 2001
Status:
Offline
|
|
Originally posted by Arkham_c:
Open a terminal. Type this:
Code:
cd /Users/ && for user in `ls`; do if [ "$user" != "Shared" ]; then sudo chmod -R go-rx "$user"; fi; done
That should fix it. It will ask for your admin password one time. This will fix all user files and directories to only be readable or executable by the owner.
Arkham_c,
I hate running terminal scripts which I don't understand :-)
This won't screw my webserver/webdav or anything?
Simon
|
|
|
|
|
|
|
|
|
Fresh-Faced Recruit
Join Date: Apr 2003
Status:
Offline
|
|
Originally posted by simonmartin:
This is directly after repairing permissions. I found that Fugu can even access my webDAV folder without being asked for a password.
Code:
drwxr-xr-x 28 simon staff 952 11 Dec 10:31 Desktop
drwxrwx--- 79 simon staff 2686 8 Dec 23:01 Documents
drwxrwx--- 54 simon staff 1836 5 Dec 21:43 Library
those are some non-standard permissions there. i believe by default locally created users are in group "staff", which means that user fugu will be able to read and execute your desktop, write to your docs and library, etc. standard permission should look like
Code:
drwx------ 3 default staff 102 27 Oct 23:45 Desktop
drwx------ 3 default staff 102 25 Aug 2002 Documents
drwx------ 6 default staff 204 27 Oct 23:45 Library
drwxr-xr-x 3 default staff 102 27 Oct 23:45 Movies
drwxr-xr-x 3 default staff 102 27 Oct 23:45 Music
drwxr-xr-x 3 default staff 102 27 Oct 23:45 Pictures
try manually changing your permissions to be as they should, and then see if fugu does what you want.
|
|
|
|
|
|
|
|
|
Mac Enthusiast
Join Date: May 2001
Status:
Offline
|
|
Originally posted by spambot:
those are some non-standard permissions there. i believe by default locally created users are in group "staff", which means that user fugu will be able to read and execute your desktop, write to your docs and library, etc. standard permission should look like
Code:
drwx------ 3 default staff 102 27 Oct 23:45 Desktop
drwx------ 3 default staff 102 25 Aug 2002 Documents
drwx------ 6 default staff 204 27 Oct 23:45 Library
drwxr-xr-x 3 default staff 102 27 Oct 23:45 Movies
drwxr-xr-x 3 default staff 102 27 Oct 23:45 Music
drwxr-xr-x 3 default staff 102 27 Oct 23:45 Pictures
try manually changing your permissions to be as they should, and then see if fugu does what you want.
spambot,
Thanks for that but how does it translate to the info I get when I use 'get info'?
I guess my home folder should be:
Owner: Simon
Access: R&W
Group: Staff
Access: No access
Others: No access
Then apply to enclosed items.
Is that right?
Why won't repairing permissions set things right?
Thanks
Simon
|
|
|
|
|
|
|
|
|
Fresh-Faced Recruit
Join Date: Apr 2003
Status:
Offline
|
|
Originally posted by simonmartin:
spambot,
Thanks for that but how does it translate to the info I get when I use 'get info'?
I guess my home folder should be:
Owner: Simon
Access: R&W
Group: Staff
Access: No access
Others: No access
Then apply to enclosed items. Is that right? Why won't repairing permissions set things right?
Thanks
Simon
in the 10-character permission string, the first character is the type (d is for directory), the next 3 chars are the owner's permissions, next 3 group, then finally "other." r is read, w is write, x is execute (doesn't have a particular control in finder 'get info'; makes folders openable/programs runable; os x sets it anywhere there is read access or write access).
if there are no other users you want to share anything with, then the procedure you describe will work for your needs. but as someone mentioned earlier in the thread, the default permissions for home directories is read only for everyone, so that everyone can access the media folders (pictures/movies/music) and shared folders (public/sites), which are also by default read only for everyone. so if you want to share those things with other users, that's the default you should set them back to. the other stuff should definitely be no access for anyone other than you. especially your library. that's really dangerous.
as for repairing permissions, i don't know for sure, but i think it only touches system-level permissions issues, like the kinds of things that can break system functionality (eg, printing in particular has a history of breaking itself on os x due to funky permissions settings). the permissions problems you have here otoh are just security-related.
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Dec 2001
Location: Atlanta, GA, USA
Status:
Offline
|
|
Originally posted by simonmartin:
Arkham_c,
I hate running terminal scripts which I don't understand :-)
You should of course be very wary of scripts you don't understand. Let me break it down for you:
cd /Users/ &&
Go into the /Users directory, and assuming that works...
for user in `ls`; do
In the Users folder, run the command 'ls' to list the stuff in that folder. For each item returned by the 'ls' command (a list of folders in Users), do the following:
if [ "$user" != "Shared" ]; then
Only do what I am about to tell you if the name of the folder is not "Shared". I added this because "Shared" is used by multiple users and is owned by root. Essentially it leaves "Shared" alone.
sudo chmod -R go-rx "$user"
As root, change the folder (chmod), and all files and folders contained within it (-R) such that users within the same group (g), and others (o) subtract (-) the read(r) and execute (x) priveleges. Essentially, take away the ability for group and other (non-owners) to read (open) and execute (list) the files and folders in other users' home directories.
; fi; done
End the "if not Shared" and "do" conditions I mentioned earlier.
I hope that clears up what it's doing.
|
Mac Pro 2x 2.66 GHz Dual core, Apple TV 160GB, two Windows XP PCs
|
|
|
|
|
|
|
|
Dedicated MacNNer
Join Date: Aug 2001
Status:
Offline
|
|
Originally posted by simonmartin:
chaldean oracle,
Hope this is what you mean...
This is directly after repairing permissions. I found that Fugu can even access my webDAV folder without being asked for a password.
Code:
drwxr-x--- 3 simon staff 102 15 Nov 08:31 Applications
drwxr-xr-x 28 simon staff 952 11 Dec 10:31 Desktop
drwxrwx--- 9 simon staff 306 15 Nov 08:31 Dockthing
drwxrwx--- 79 simon staff 2686 8 Dec 23:01 Documents
drwxrwx--- 22 simon staff 748 11 Dec 10:27 Expander
-rw-r--r-- 1 simon staff 0 7 Sep 19:03 IDE
drwxrwx--- 27 simon staff 918 15 Nov 08:33 Kate
drwxrwx--- 54 simon staff 1836 5 Dec 21:43 Library
-rw-r--r-- 1 simon staff 0 26 Aug 22:53 MME
drwxrwx--- 6 simon staff 204 15 Nov 08:33 Movies
drwxrwx--- 16 simon staff 544 15 Nov 08:33 Music
-rw-rw---- 1 simon staff 192 30 Jan 2003 OpenOffice.org_1.0.1.2_Final_Beta_InstallLog.log
drwxrwxr-x 16 simon staff 544 15 Nov 08:33 Pictures
drwxrwx--- 6 simon staff 204 28 Nov 20:13 Public
drwxrwxrw- 16 simon staff 544 15 Nov 08:33 Shared
drwxrwxr-x 11 simon staff 374 23 Mar 2003 Sites
drwxrwxr-x 19 simon staff 646 15 Nov 08:33 Web Sites
Repairing permission won't touch anything in /Users but running it is a good idea in case things elsewhere are screwed up.
The fact that your critical directories (Documents, Library, Music, etc) don't match what the OS default is (check /System/Library/User Template/English.lproj) leads me to believe that at some point in the past you messed around with permissions and didn't realize what you did or you have some evil application installer.
I'm willing to bet you messed with permissions in order to get web serving from your home directory working. It wouldn't have worked otherwise.
I'm taking it well cause I _KNOW_ this isn't a fugu issue and more likely user error. I've seen it way too many times.
My most of my directories are chmod 700 (user only) so they aren't accessible to anyone but me.
|
|
|
|
|
|
|
|
|
Mac Enthusiast
Join Date: May 2001
Status:
Offline
|
|
Originally posted by Arkham_c:
You should of course be very wary of scripts you don't understand. Let me break it down for you:
cd /Users/ &&
Go into the /Users directory, and assuming that works...
for user in `ls`; do
In the Users folder, run the command 'ls' to list the stuff in that folder. For each item returned by the 'ls' command (a list of folders in Users), do the following:
if [ "$user" != "Shared" ]; then
Only do what I am about to tell you if the name of the folder is not "Shared". I added this because "Shared" is used by multiple users and is owned by root. Essentially it leaves "Shared" alone.
sudo chmod -R go-rx "$user"
As root, change the folder (chmod), and all files and folders contained within it (-R) such that users within the same group (g), and others (o) subtract (-) the read(r) and execute (x) priveleges. Essentially, take away the ability for group and other (non-owners) to read (open) and execute (list) the files and folders in other users' home directories.
; fi; done
End the "if not Shared" and "do" conditions I mentioned earlier.
I hope that clears up what it's doing.
Arkham_c,
You're a good man. I appreciate you doing that.
However, this is what I get: I just copy/pasted your command..
[simonmartins-computer:/Users] simon% cd /Users/ && for user in `ls`; do if [ "$user" != "Shared" ]; then sudo chmod -R go-rx "$user"; fi; done
OK? cd /Users/ && fpr user in `ls`; od if [ "$user" != "Shared" ]; then sudo chmod -R go-rx "$user"; if; done? no
tcsh: for: Command not found.
tcsh: do: Command not found.
tcsh: then: Command not found.
tcsh: fi: Command not found.
tcsh: done: Command not found.
[simonmartins-computer:/Users] simon%
I'm probably doing something stupid...
Simon
|
|
|
|
|
|
|
|
|
Posting Junkie
Join Date: Dec 2000
Status:
Offline
|
|
Try using the bash shell instead of tcsh. First type "/bin/bash" without the quotes and followed by a carriage return, then enter the script that Arkham_c posted. I think it should work then.
|
|
|
|
|
|
|
|
|
Mac Enthusiast
Join Date: May 2001
Status:
Offline
|
|
Originally posted by CharlesS:
Try using the bash shell instead of tcsh. First type "/bin/bash" without the quotes and followed by a carriage return, then enter the script that Arkham_c posted. I think it should work then.
CharlesS,
Many thanks, that seemed to do the trick.
Well, now Fugu can't get in to my home folder (Thanks to everyone who has helped me with this!) but it can still get in to the root folder and in to the webdav folder, which should be password protected.
Are my permissions still messed up?
Simon
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Dec 2001
Location: Atlanta, GA, USA
Status:
Offline
|
|
Originally posted by simonmartin:
CharlesS,
Many thanks, that seemed to do the trick.
Well, now Fugu can't get in to my home folder (Thanks to everyone who has helped me with this!) but it can still get in to the root folder and in to the webdav folder, which should be password protected.
Are my permissions still messed up?
Simon
What is the path to the webdav folder? There's no concept of password protecting a folder from SSH. You can change the permissions of the folder to only be accessible by the user running the web server (www on Panther), and that will prevent you from browsing it.
|
Mac Pro 2x 2.66 GHz Dual core, Apple TV 160GB, two Windows XP PCs
|
|
|
|
|
|
|
|
Mac Enthusiast
Join Date: May 2001
Status:
Offline
|
|
Originally posted by Arkham_c:
What is the path to the webdav folder? There's no concept of password protecting a folder from SSH. You can change the permissions of the folder to only be accessible by the user running the web server (www on Panther), and that will prevent you from browsing it.
Arkham_c
(Thanks for that script!)
The path to my webdav folder is /Library/Webserver/Documents/WebDav
Simon
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Dec 2001
Location: Atlanta, GA, USA
Status:
Offline
|
|
Originally posted by simonmartin:
Arkham_c
(Thanks for that script!)
The path to my webdav folder is /Library/Webserver/Documents/WebDav
Simon
If you want to restrict access to this folder to web-only access, do the following:
Code:
chown -R www:www /Library/Webserver/Documents/WebDav
chmod -R go-rwx /Library/Webserver/Documents/WebDav
Bear in mind that if you do this, then the only access you'll have to this directory will be through WebDav (you'll have no local filesystem access). If you want both, you'll probably want to create a new group in NetInfo Manager (say, "webdav"), add any users with access to the WebDav directory to that group, and use that for the group in the example above (www:webdav instead of www:www).
UNIX permissions are not that complex once you understand the rules that govern them.
|
Mac Pro 2x 2.66 GHz Dual core, Apple TV 160GB, two Windows XP PCs
|
|
|
|
|
|
|
|
Mac Enthusiast
Join Date: May 2001
Status:
Offline
|
|
Originally posted by Arkham_c:
If you want to restrict access to this folder to web-only access, do the following:
Code:
chown -R www:www /Library/Webserver/Documents/WebDav
chmod -R go-rwx /Library/Webserver/Documents/WebDav
UNIX permissions are not that complex once you understand the rules that govern them.
Arkham_c,
I think I'll quit whilst I'm ahead :-)
Thanks for everyone who has helped me with this!
2 things I still find surprising:
1* Repairing permissions doesn't seem to.
2* SSH gives a user more permissions than the Finder does.
Anyway... This all started through not being able to get Pureftpd working properly.
Another thread soon... :-)
Thanks again.
Simon
|
|
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Mar 2000
Location: London, UK
Status:
Offline
|
|
Originally posted by simonmartin:
1* Repairing permissions doesn't seem to.
That's because the permissions weren't broken per se, they were just set incorrectly according to what you expected.
2* SSH gives a user more permissions than the Finder does.
I'd be surprised if that were the case.
I suggest you read one of those books about the underlying UNIX architecture if you're going to be doing this sort of thing, you seem quite confuzzled.
|
|
|
|
|
|
|
|
|
Mac Enthusiast
Join Date: May 2001
Status:
Offline
|
|
Originally posted by Angus_D:
That's because the permissions weren't broken per se, they were just set incorrectly according to what you expected.
I'd be surprised if that were the case.
I suggest you read one of those books about the underlying UNIX architecture if you're going to be doing this sort of thing, you seem quite confuzzled.
Angus_D,
Using the Finder, I couldn't get on to any other user's desktop. Using Fugu I could.
Simon
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Forum Rules
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|