[mcsjgs]

Finder authentication in Mac OS X 10.3 circumvents root file permissions

Date: 2003-11-24

Security-Corporation ID : SC-0783
URL : http://www.security-corporation.com/...31124-001.html
Author : Santino Rizzo <[email protected]>
Product : Mac OS X 10.3
Source Message Contents :

Vendor: Apple Computer
Target: Finder authentication in Mac OS X 10.3

If a user in the admin group tries to write to the /System/Library
directory, which has owner permissions of root:wheel and file
permissions of 755, they are presented with an authentication dialog
from the Finder. Upon authenticating as an admin they are given full
access to the directory, circumventing the root permissions. This
occurs even if the admin group is removed from the sudoers list.

The Finder is authenticating using the /etc/authorization control list.
The authorization right it is looking for is
'com.apple.desktopservices'. This right is not in the list so it is
falling back to the 'default' rule which allows any admin to be
authorized thus gaining write access even though the admin group does
not have write permissions and even if admin is not allowed to sudo.
If the "Go To Folder.." command is used, the admin user can gain write
access to any directory on the system including /private which belongs
to root.

[Angus_D]

This isn't really an issue. Admin users are effectively root. sudo isn't the only way to perform privileged operations. Out of the box, authorization.right.execute is set to admins. If you want to tighten the security, feel free to modify the rights database, which would "fix" this for you.