hschickel
03-06-2002, 08:44 AM
I don't believe this has been posted before and I think it may be a bug on Apple's part - it certainly is a bit of a security hole.
I've found you can eliminate Classic startups entirely by removing write permissions from the Classic System Folder.
chmod a-w /System\ Folder[/b or [b]sudo chmod uo-w /System\ Folder if you've chown'd the System Folder to root.
*If your System Folder is not located at /System\ Folder please substitute your path.
**The security hole is that you can't give a non-admin user access to Classic without giving him write access to /System\ Folder. You can mitigate this some by allowing this access only to staff users and setting the sticky bit. ie:
sudo chown root:staff System\ Folder
sudo chmod 1770 System\ Folder
You can further mitigate by chown'ing the internal folders inside the System Folder that do not need write access to group admin and setting other access to rx. (ie folders other than Application Support, MS Preference Panels, Preferences, PrintMonitor Documents, etc).
Generally if a user needs permissions beyond his level I can set the setuid or setgid to the application and be done with it. I've been playing around with /System/Library/CoreServices/Classic\ Startup.app and it's contents with no success. Has anyone found a way to give a user Classic access w/o write access to the System Folder?
The problem, by the way, seems to be that Apple's Classic startup tests for write access to this folder before it tests for the presence of the items that Classic Startup.app installs. (It's necessary to write to System Folder the first time Classic starts up but it is not necessary after the first time as far as I can tell.)
Any thoughts on this would be great,
Hugh
I've found you can eliminate Classic startups entirely by removing write permissions from the Classic System Folder.
chmod a-w /System\ Folder[/b or [b]sudo chmod uo-w /System\ Folder if you've chown'd the System Folder to root.
*If your System Folder is not located at /System\ Folder please substitute your path.
**The security hole is that you can't give a non-admin user access to Classic without giving him write access to /System\ Folder. You can mitigate this some by allowing this access only to staff users and setting the sticky bit. ie:
sudo chown root:staff System\ Folder
sudo chmod 1770 System\ Folder
You can further mitigate by chown'ing the internal folders inside the System Folder that do not need write access to group admin and setting other access to rx. (ie folders other than Application Support, MS Preference Panels, Preferences, PrintMonitor Documents, etc).
Generally if a user needs permissions beyond his level I can set the setuid or setgid to the application and be done with it. I've been playing around with /System/Library/CoreServices/Classic\ Startup.app and it's contents with no success. Has anyone found a way to give a user Classic access w/o write access to the System Folder?
The problem, by the way, seems to be that Apple's Classic startup tests for write access to this folder before it tests for the presence of the items that Classic Startup.app installs. (It's necessary to write to System Folder the first time Classic starts up but it is not necessary after the first time as far as I can tell.)
Any thoughts on this would be great,
Hugh