|
|
Security Hole
|
|
|
|
Dedicated MacNNer
Join Date: Oct 1999
Location: Heath Springs, SC
Status:
Offline
|
|
I posted this at Apple.com, and got some response, but no explanations.
I've got a major hole I may have inadvertantly uncovered. I just purchased a G4 powerbook. It's running 10.3.2 and I've got a dual 800 with the same OS. I have similar set ups. In facet both machines have the same short name, user name, and password. The problem is that when I use Spamfire, it auto launches Entourage with an applescript to receive new mail. The problem arises when it launches entourage on both machines. They are only connected via airport, no file sharing turned on or sharing of any kind. Seems possibly like a big problem to me. Sorry for the typos I'm using a beta of fire fox and the input boxes lag seriously behind the typing.
I've also notice that since adding the powerbook, sharing prefs are constantly resetting on both machines.
|
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Sep 2000
Status:
Offline
|
|
Originally posted by Mark N:
In fact both machines have the same short name, user name, and password.
this is a bad idea.
-r.
|
|
|
|
|
|
|
|
|
Dedicated MacNNer
Join Date: Oct 1999
Location: Heath Springs, SC
Status:
Offline
|
|
I'm beginning to realize this, but now my concern is if this is a security hole and anyone else who were to "guess" a short name and password could manipulate the machine via applescript.
Exactly, why do you say it's a bad idea? Networking probs?
|
|
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Apr 2001
Location: europe
Status:
Offline
|
|
I don't think it's a problem to have the same user names on multiple machines. Wouldn't see why. It's probably a bad idea to have the same computer names, but you can easily change that in the "Sharing" preference pane.
With regard to AppleScript, open System Preferences->Sharing->Services and see whether you have Remote Apple Events on. Turn that off and you shouldn't be able to script that computer any more.
|
Nasrudin sat on a river bank when someone shouted to him from the opposite side: "Hey! how do I get across?" "You are across!" Nasrudin shouted back.
|
|
|
|
|
|
|
|
Dedicated MacNNer
Join Date: Oct 1999
Location: Heath Springs, SC
Status:
Offline
|
|
That was a suggestion at apple.com, but I have no sharing prefs on. Remote is off.
|
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Jun 2001
Location: Northwest Ohio
Status:
Offline
|
|
Originally posted by rjenkinson:
this is a bad idea.
-r.
I don't know. My PowerBook and my desktop have identical user accounts (same username, and password). The two have different hostnames, however, and the network sees them just fine. I only have my laptop hooked to the network when transferring files between the machines.
|
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Apr 2001
Location: Asheville, NC
Status:
Offline
|
|
Do you have "Remote Apple Events" enabled in the Sharing section of the System Preferences? That you to run Apple Scripts from other machines.
|
ACSA 10.4/10.3, ACTC 10.3, ACHDS 10.3
|
|
|
|
|
|
|
|
Banned
Join Date: Feb 2004
Location: Spread across a 5-kilometre radius somewhere in Chechnya, after the Russian apostates struck me down with a satphone-seeking missile
Status:
Offline
|
|
Originally posted by Mark N:
if this is a security hole and anyone else who were to "guess" a short name and password could manipulate the machine via applescript.
dude, if someone has your username and password you're screwed. That's the most basic way any computer or system authenticates. I'm lost as to why you think this is a security hole.
|
|
|
|
|
|
|
|
|
Dedicated MacNNer
Join Date: Oct 1999
Location: Heath Springs, SC
Status:
Offline
|
|
Remote sharing events is not turned on...
yes. I'm mainly curious as to why when I have no sharing prefs turned on at all, an applescript on one machine is able to control an applescript on the other machine. I changed the passwords so that they were different, and only the short usernames were the same. The powerbook was able to control the machine via applescript then, too. Only once I changed the short name did the process stop.
(
Last edited by Mark N; Feb 18, 2004 at 02:16 AM.
)
|
|
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Apr 2001
Location: europe
Status:
Offline
|
|
If remote Apple Events are turned off, than AppleScript can not control the computer. Regardless of user name and password.
|
Nasrudin sat on a river bank when someone shouted to him from the opposite side: "Hey! how do I get across?" "You are across!" Nasrudin shouted back.
|
|
|
|
|
|
|
|
Senior User
Join Date: Dec 2003
Status:
Offline
|
|
sounds like something in rendezvous. dunno if i'd call it a bug if you have machines with the same name as well as matching usernames and passwords..
if someone already has your username and password you have more to worry about than remotely launching entourage.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Forum Rules
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|