[simonmartin]

Hi,

I'm a bit spooked by this... I'm hoping I'm being daft about something...

This is what I did:

I enabled 'Remote Login' on my computer.

I downloaded Fugu from <http://rsug.itd.umich.edu/software/fugu/>

I set up a new account which I called 'Fugu', with the password 'fugutest'.

I gave this account very strict limitations: Under the 'Limitations' tab I selected 'simple finder', I allowed Fugu to be the *only* application to be used.

I then logged in to the fugu account using fast user switching in Panther. I was still loged in to my admin account.

I launched Fugu and logged into my own account (the fugu account that is) running on 192.168.0.2, which is the internal ip address of my computer. Localhost will probably work as well.

I now find that I have full access to anything in the desktop folder of any account on the computer! I can copy any docs from any desktop folder in to my documents folder. I cannot reach any further down than the desktop.

Furthermore, I have unrestricted access to the root of the machine and can copy any application or document there.

WTF is up with this!

Please tell me I'm crazy... It can't be right that I can do this.

(Waiting for someone to make me look very stupid...)

Simon

[Zadian]

It's not fugu that compromises your computer security - it's you.

You enabled ssh terminal log in and sFTP access for the entire computer.
That's the purpose of remote login.

Fugu is an application to use that feature you enabled. If you log in as an other user, let's say as an admin user, you will have all the privileges that user has.

[simonmartin]

Originally posted by Zadian:
It's not fugu that compromises your computer security - it's you.

You enabled ssh terminal log in and sFTP access for the entire computer.
That's the purpose of remote login.

Fugu is an application to use that feature you enabled. If you log in as an other user, let's say as an admin user, you will have all the privileges that user has.

Zadian,

So If I had logged out of the admin account, the Fugu account wouldnt be able to reach in to the computer the way it did?

Simon

[nickm]

If you log in to your admin account with ssh or fugu from the Fugu account, you should be able to access anything your admin account can access. However, that shouldn't include the desktops of other users, in general. (Unless the default permissions of 10.3 are different than 10.2).

[simonmartin]

Originally posted by nickm:
If you log in to your admin account with ssh or fugu from the Fugu account, you should be able to access anything your admin account can access. However, that shouldn't include the desktops of other users, in general. (Unless the default permissions of 10.3 are different than 10.2).

nickm,

Thanks for your response.

I still don't get this and I'm wondering if I didn't cloud the waters by calling the User account 'Fugu'...

Let's say I'm the admin of the box.

I set up a new account for you called 'nickm'.

The only application you are allowed to use is Fugu. You are basically the *least* trusted user on the box.

You now log in to your account on the box, launch Fugu and tell it to loop back and log in to your own account, 'nickm', because that's the only account you have a username/passord for.

Now you have access to *my* desktop!

This I don't get...

Simon

[BatmanPPC]

Originally posted by simonmartin:
nickm,

Thanks for your response.

I still don't get this and I'm wondering if I didn't cloud the waters by calling the User account 'Fugu'...

Let's say I'm the admin of the box.

I set up a new account for you called 'nickm'.

The only application you are allowed to use is Fugu. You are basically the *least* trusted user on the box.

You now log in to your account on the box, launch Fugu and tell it to loop back and log in to your own account, 'nickm', because that's the only account you have a username/passord for.

Now you have access to *my* desktop!

This I don't get...

Simon

This is NOT a fugu issue.

I'm not sure why you're surprised. Permissions for home directory allow everyone read access.

[foobar@foobaz foobar]$ ls -ld /Users/foobar ~/Desktop/
drwxr-xr-x 99 foobar staff 3366 Dec 10 20:03 /Users/foobar
drwxr-xr-x 67 foobar staff 2278 Dec 10 21:00 /Users/foobar/Desktop/

This is the way it is on several OS X machines I've checked.

[Detrius]

In the terminal, type:

ls -al ~/Desktop

The left of the second line from the top lists the permissions of your desktop. If it says:

drwxr-xr-x

Then anyone will be able to read your desktop directory. To fix this, as the non-fugu user, type:

chmod 700 ~/Desktop

This should change that line to

drwx------

which means that no one but you will be able to read that directory.

It might be a good idea to read the man page on chmod.

[CharlesS]

Open Disk Utility, and do a Repair Permissions. At the very least, this should take care of all users having write access to the root of your drive.

[simonmartin]

Originally posted by BatmanPPC:
This is NOT a fugu issue.

I'm not sure why you're surprised. Permissions for home directory allow everyone read access.

This is the way it is on several OS X machines I've checked.

BatmanPPC,

Well, on my machine, if I try to access the desktop of another account through the *Finder* I get blocked with a permissions error.

I *can* access the very same desktop through Fugu.

I have to say you guys are taking this a lot better than me... :-)

Simon

[Arkham_c]

Originally posted by simonmartin:
BatmanPPC,

Well, on my machine, if I try to access the desktop of another account through the *Finder* I get blocked with a permissions error.

I *can* access the very same desktop through Fugu.

I have to say you guys are taking this a lot better than me... :-)

Simon

Open a terminal. Type this:

Code:
cd /Users/ && for user in `ls`; do if [ "$user" != "Shared" ]; then sudo chmod -R go-rx "$user"; fi; done

That should fix it. It will ask for your admin password one time. This will fix all user files and directories to only be readable or executable by the owner.

[chaldean oracle]

Originally posted by simonmartin:
BatmanPPC,

Well, on my machine, if I try to access the desktop of another account through the *Finder* I get blocked with a permissions error.

I *can* access the very same desktop through Fugu.

I have to say you guys are taking this a lot better than me... :-)

Simon

We're taking it better because we don't believe that Fugu is doing anything magical or special here. Rather, we think your permissions are screwed up in a way that affects the Finder but not Fugu.

Try it in the Terminal -- fast-switch over to your 'fugu' user, and fire up Terminal.
then:
cd /Users/simonmartin/
ls -l

copy and paste the results here (wrapped in [ CODE ] tag)

[simonmartin]

Originally posted by chaldean oracle:
We're taking it better because we don't believe that Fugu is doing anything magical or special here. Rather, we think your permissions are screwed up in a way that affects the Finder but not Fugu.

Try it in the Terminal -- fast-switch over to your 'fugu' user, and fire up Terminal.
then:
cd /Users/simonmartin/
ls -l

copy and paste the results here (wrapped in [ CODE ] tag)

chaldean oracle,

Hope this is what you mean...

This is directly after repairing permissions. I found that Fugu can even access my webDAV folder without being asked for a password.

Code:
drwxr-x---   3 simon  staff   102 15 Nov 08:31 Applications
drwxr-xr-x  28 simon  staff   952 11 Dec 10:31 Desktop
drwxrwx---   9 simon  staff   306 15 Nov 08:31 Dockthing
drwxrwx---  79 simon  staff  2686  8 Dec 23:01 Documents
drwxrwx---  22 simon  staff   748 11 Dec 10:27 Expander
-rw-r--r--   1 simon  staff     0  7 Sep 19:03 IDE
drwxrwx---  27 simon  staff   918 15 Nov 08:33 Kate
drwxrwx---  54 simon  staff  1836  5 Dec 21:43 Library
-rw-r--r--   1 simon  staff     0 26 Aug 22:53 MME
drwxrwx---   6 simon  staff   204 15 Nov 08:33 Movies
drwxrwx---  16 simon  staff   544 15 Nov 08:33 Music
-rw-rw----   1 simon  staff   192 30 Jan  2003 OpenOffice.org_1.0.1.2_Final_Beta_InstallLog.log
drwxrwxr-x  16 simon  staff   544 15 Nov 08:33 Pictures
drwxrwx---   6 simon  staff   204 28 Nov 20:13 Public
drwxrwxrw-  16 simon  staff   544 15 Nov 08:33 Shared
drwxrwxr-x  11 simon  staff   374 23 Mar  2003 Sites
drwxrwxr-x  19 simon  staff   646 15 Nov 08:33 Web Sites

[simonmartin]

Originally posted by Arkham_c:
Open a terminal. Type this:

Code:
cd /Users/ && for user in `ls`; do if [ "$user" != "Shared" ]; then sudo chmod -R go-rx "$user"; fi; done

That should fix it. It will ask for your admin password one time. This will fix all user files and directories to only be readable or executable by the owner.

Arkham_c,

I hate running terminal scripts which I don't understand :-)

This won't screw my webserver/webdav or anything?

Simon

[spambot]

Originally posted by simonmartin:
This is directly after repairing permissions. I found that Fugu can even access my webDAV folder without being asked for a password.

Code:
drwxr-xr-x  28 simon  staff   952 11 Dec 10:31 Desktop
drwxrwx---  79 simon  staff  2686  8 Dec 23:01 Documents
drwxrwx---  54 simon  staff  1836  5 Dec 21:43 Library

those are some non-standard permissions there. i believe by default locally created users are in group "staff", which means that user fugu will be able to read and execute your desktop, write to your docs and library, etc. standard permission should look like

Code:
drwx------  3 default  staff   102 27 Oct 23:45 Desktop
drwx------  3 default  staff   102 25 Aug  2002 Documents
drwx------  6 default  staff   204 27 Oct 23:45 Library
drwxr-xr-x  3 default  staff   102 27 Oct 23:45 Movies
drwxr-xr-x  3 default  staff   102 27 Oct 23:45 Music
drwxr-xr-x  3 default  staff   102 27 Oct 23:45 Pictures

try manually changing your permissions to be as they should, and then see if fugu does what you want.

[simonmartin]

Originally posted by spambot:
those are some non-standard permissions there. i believe by default locally created users are in group "staff", which means that user fugu will be able to read and execute your desktop, write to your docs and library, etc. standard permission should look like

Code:
drwx------  3 default  staff   102 27 Oct 23:45 Desktop
drwx------  3 default  staff   102 25 Aug  2002 Documents
drwx------  6 default  staff   204 27 Oct 23:45 Library
drwxr-xr-x  3 default  staff   102 27 Oct 23:45 Movies
drwxr-xr-x  3 default  staff   102 27 Oct 23:45 Music
drwxr-xr-x  3 default  staff   102 27 Oct 23:45 Pictures

try manually changing your permissions to be as they should, and then see if fugu does what you want.

spambot,

Thanks for that but how does it translate to the info I get when I use 'get info'?

I guess my home folder should be:
Owner: Simon
Access: R&W

Group: Staff
Access: No access

Others: No access

Then apply to enclosed items.

Is that right?

Why won't repairing permissions set things right?

Thanks

Simon

[spambot]

Originally posted by simonmartin:
spambot,
Thanks for that but how does it translate to the info I get when I use 'get info'?
I guess my home folder should be:
Owner: Simon
Access: R&W
Group: Staff
Access: No access
Others: No access
Then apply to enclosed items. Is that right? Why won't repairing permissions set things right?
Thanks
Simon

in the 10-character permission string, the first character is the type (d is for directory), the next 3 chars are the owner's permissions, next 3 group, then finally "other." r is read, w is write, x is execute (doesn't have a particular control in finder 'get info'; makes folders openable/programs runable; os x sets it anywhere there is read access or write access).
if there are no other users you want to share anything with, then the procedure you describe will work for your needs. but as someone mentioned earlier in the thread, the default permissions for home directories is read only for everyone, so that everyone can access the media folders (pictures/movies/music) and shared folders (public/sites), which are also by default read only for everyone. so if you want to share those things with other users, that's the default you should set them back to. the other stuff should definitely be no access for anyone other than you. especially your library. that's really dangerous.
as for repairing permissions, i don't know for sure, but i think it only touches system-level permissions issues, like the kinds of things that can break system functionality (eg, printing in particular has a history of breaking itself on os x due to funky permissions settings). the permissions problems you have here otoh are just security-related.

[Arkham_c]

Originally posted by simonmartin:
Arkham_c,

I hate running terminal scripts which I don't understand :-)

You should of course be very wary of scripts you don't understand. Let me break it down for you:

cd /Users/ &&

Go into the /Users directory, and assuming that works...


for user in `ls`; do

In the Users folder, run the command 'ls' to list the stuff in that folder. For each item returned by the 'ls' command (a list of folders in Users), do the following:


if [ "$user" != "Shared" ]; then

Only do what I am about to tell you if the name of the folder is not "Shared". I added this because "Shared" is used by multiple users and is owned by root. Essentially it leaves "Shared" alone.


sudo chmod -R go-rx "$user"


As root, change the folder (chmod), and all files and folders contained within it (-R) such that users within the same group (g), and others (o) subtract (-) the read(r) and execute (x) priveleges. Essentially, take away the ability for group and other (non-owners) to read (open) and execute (list) the files and folders in other users' home directories.


; fi; done

End the "if not Shared" and "do" conditions I mentioned earlier.

I hope that clears up what it's doing.

[BatmanPPC]

Originally posted by simonmartin:
chaldean oracle,

Hope this is what you mean...

This is directly after repairing permissions. I found that Fugu can even access my webDAV folder without being asked for a password.

Code:
drwxr-x---   3 simon  staff   102 15 Nov 08:31 Applications
drwxr-xr-x  28 simon  staff   952 11 Dec 10:31 Desktop
drwxrwx---   9 simon  staff   306 15 Nov 08:31 Dockthing
drwxrwx---  79 simon  staff  2686  8 Dec 23:01 Documents
drwxrwx---  22 simon  staff   748 11 Dec 10:27 Expander
-rw-r--r--   1 simon  staff     0  7 Sep 19:03 IDE
drwxrwx---  27 simon  staff   918 15 Nov 08:33 Kate
drwxrwx---  54 simon  staff  1836  5 Dec 21:43 Library
-rw-r--r--   1 simon  staff     0 26 Aug 22:53 MME
drwxrwx---   6 simon  staff   204 15 Nov 08:33 Movies
drwxrwx---  16 simon  staff   544 15 Nov 08:33 Music
-rw-rw----   1 simon  staff   192 30 Jan  2003 OpenOffice.org_1.0.1.2_Final_Beta_InstallLog.log
drwxrwxr-x  16 simon  staff   544 15 Nov 08:33 Pictures
drwxrwx---   6 simon  staff   204 28 Nov 20:13 Public
drwxrwxrw-  16 simon  staff   544 15 Nov 08:33 Shared
drwxrwxr-x  11 simon  staff   374 23 Mar  2003 Sites
drwxrwxr-x  19 simon  staff   646 15 Nov 08:33 Web Sites

Repairing permission won't touch anything in /Users but running it is a good idea in case things elsewhere are screwed up.

The fact that your critical directories (Documents, Library, Music, etc) don't match what the OS default is (check /System/Library/User Template/English.lproj) leads me to believe that at some point in the past you messed around with permissions and didn't realize what you did or you have some evil application installer.

I'm willing to bet you messed with permissions in order to get web serving from your home directory working. It wouldn't have worked otherwise.

I'm taking it well cause I _KNOW_ this isn't a fugu issue and more likely user error. I've seen it way too many times.

My most of my directories are chmod 700 (user only) so they aren't accessible to anyone but me.

[simonmartin]

Originally posted by Arkham_c:
You should of course be very wary of scripts you don't understand. Let me break it down for you:

cd /Users/ &&

Go into the /Users directory, and assuming that works...


for user in `ls`; do

In the Users folder, run the command 'ls' to list the stuff in that folder. For each item returned by the 'ls' command (a list of folders in Users), do the following:


if [ "$user" != "Shared" ]; then

Only do what I am about to tell you if the name of the folder is not "Shared". I added this because "Shared" is used by multiple users and is owned by root. Essentially it leaves "Shared" alone.


sudo chmod -R go-rx "$user"


As root, change the folder (chmod), and all files and folders contained within it (-R) such that users within the same group (g), and others (o) subtract (-) the read(r) and execute (x) priveleges. Essentially, take away the ability for group and other (non-owners) to read (open) and execute (list) the files and folders in other users' home directories.


; fi; done

End the "if not Shared" and "do" conditions I mentioned earlier.

I hope that clears up what it's doing.

Arkham_c,

You're a good man. I appreciate you doing that.

However, this is what I get: I just copy/pasted your command..

[simonmartins-computer:/Users] simon% cd /Users/ && for user in `ls`; do if [ "$user" != "Shared" ]; then sudo chmod -R go-rx "$user"; fi; done

OK? cd /Users/ && fpr user in `ls`; od if [ "$user" != "Shared" ]; then sudo chmod -R go-rx "$user"; if; done? no
tcsh: for: Command not found.
tcsh: do: Command not found.
tcsh: then: Command not found.
tcsh: fi: Command not found.
tcsh: done: Command not found.
[simonmartins-computer:/Users] simon%

I'm probably doing something stupid...

Simon

[CharlesS]

Try using the bash shell instead of tcsh. First type "/bin/bash" without the quotes and followed by a carriage return, then enter the script that Arkham_c posted. I think it should work then.

[simonmartin]

Originally posted by CharlesS:
Try using the bash shell instead of tcsh. First type "/bin/bash" without the quotes and followed by a carriage return, then enter the script that Arkham_c posted. I think it should work then.

CharlesS,

Many thanks, that seemed to do the trick.

Well, now Fugu can't get in to my home folder (Thanks to everyone who has helped me with this!) but it can still get in to the root folder and in to the webdav folder, which should be password protected.

Are my permissions still messed up?

Simon

[Arkham_c]

Originally posted by simonmartin:
CharlesS,

Many thanks, that seemed to do the trick.

Well, now Fugu can't get in to my home folder (Thanks to everyone who has helped me with this!) but it can still get in to the root folder and in to the webdav folder, which should be password protected.

Are my permissions still messed up?

Simon

What is the path to the webdav folder? There's no concept of password protecting a folder from SSH. You can change the permissions of the folder to only be accessible by the user running the web server (www on Panther), and that will prevent you from browsing it.

[simonmartin]

Originally posted by Arkham_c:
What is the path to the webdav folder? There's no concept of password protecting a folder from SSH. You can change the permissions of the folder to only be accessible by the user running the web server (www on Panther), and that will prevent you from browsing it.

Arkham_c

(Thanks for that script!)

The path to my webdav folder is /Library/Webserver/Documents/WebDav

Simon

[Arkham_c]

Originally posted by simonmartin:
Arkham_c

(Thanks for that script!)

The path to my webdav folder is /Library/Webserver/Documents/WebDav

Simon

If you want to restrict access to this folder to web-only access, do the following:

Code:
chown -R www:www /Library/Webserver/Documents/WebDav
chmod -R go-rwx /Library/Webserver/Documents/WebDav

Bear in mind that if you do this, then the only access you'll have to this directory will be through WebDav (you'll have no local filesystem access). If you want both, you'll probably want to create a new group in NetInfo Manager (say, "webdav"), add any users with access to the WebDav directory to that group, and use that for the group in the example above (www:webdav instead of www:www).

UNIX permissions are not that complex once you understand the rules that govern them.

[simonmartin]

Originally posted by Arkham_c:
If you want to restrict access to this folder to web-only access, do the following:

Code:
chown -R www:www /Library/Webserver/Documents/WebDav
chmod -R go-rwx /Library/Webserver/Documents/WebDav

UNIX permissions are not that complex once you understand the rules that govern them.

Arkham_c,

I think I'll quit whilst I'm ahead :-)

Thanks for everyone who has helped me with this!

2 things I still find surprising:
1* Repairing permissions doesn't seem to.
2* SSH gives a user more permissions than the Finder does.

Anyway... This all started through not being able to get Pureftpd working properly.

Another thread soon... :-)

Thanks again.

Simon

[Angus_D]

Originally posted by simonmartin:
1* Repairing permissions doesn't seem to.

That's because the permissions weren't broken per se, they were just set incorrectly according to what you expected.

2* SSH gives a user more permissions than the Finder does.

I'd be surprised if that were the case.

I suggest you read one of those books about the underlying UNIX architecture if you're going to be doing this sort of thing, you seem quite confuzzled.

[simonmartin]

Originally posted by Angus_D:
That's because the permissions weren't broken per se, they were just set incorrectly according to what you expected.
I'd be surprised if that were the case.

I suggest you read one of those books about the underlying UNIX architecture if you're going to be doing this sort of thing, you seem quite confuzzled.

Angus_D,

Using the Finder, I couldn't get on to any other user's desktop. Using Fugu I could.

Simon