Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Not really. There's no privilege escalation. You can only change user's password if you're already logged-in as user. That's bad, but it's only going to happen if you literally walk away from a terminal and someone else sits down.


Actually. Any application can do this and use the new password to become super-user. Really useful for a virus I reckon.


How? The problem he mentions at the end of the post only applies to the currently logged-in account. If you can change root's password, then you're already root, and don't need to change root's password to gain access.


Exactly how can it use the new password to become super-user? You can't assume that everyone runs only the default admin user on their OS X system.


If sudo works the same way on Mac's as it does on Linux, then anyone in the sudoers file could give a rogue application root access.


It does, and, the only user there, by default, is the first user of the system - the administrator. Not all people use this as their main user.


By default, most do, and what happens by default is what matters to virus writers.


The file includes all password hashes, including root. So crack that, then you have superuser.


By default, Mac OS X disables the root user: http://support.apple.com/kb/ht1528

That said, reset or crack any admin's password and you can go to town with sudo.


Default user can use sudo with it's password. That's all you really need.


Not everyone, but I'd reckon MOST people do.


Or run a malicious script?


There are far more damaging "malicious scripts" one could trick someone into running, such as "cd; rm -rf *".

Like I said, it's not good, but it's not what I would call a "security hole" because there is no escalation of privilege. I like Raymond Chen's take on the topic: http://blogs.msdn.com/b/oldnewthing/archive/2006/05/08/59235...


"Like I said, it's not good, but it's not what I would call a "security hole" because there is no escalation of privilege."

Doesn't the end of the article suggest that without admin access, you could just reset the password for any admin user, then be able to log in as them? Sounds like priv escalation to me.

Edit: Actually, reading further comments, it seems you can only reset the password of the currently logged in user without reauthentication, so you can only get admin privs if you've already got a console with admin privs. I'm wrong.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: