On Fri Dec 29 2000 12:53:57, Todd Kirby <kirbytat_private> wrote: >Mac OS 9.04 comes with a 'Multiple Users' Control Panel that allows an >administrator (called 'Owner') to create user accounts (called 'Normal' >users) with limited access to the computer. > >The problem is that the Owner password can be removed by a Normal user by >moving the 'Users & Groups Data File and logging back in using the Owner >account, giving full access to the machine. The above problem has been fixed by Apple in Macintosh Manager 1.4. See the following URLs for the info: * <URL:http://asu.info.apple.com/swupdates.nsf/artnum/n12046/> - Macintosh Manager 1.4 "Various files and folders in the System Folder are now protected from users who are logged in as Normal users (in Multiple Users). This addresses a security hole that allowed Normal users to remove the Users & Groups Data file in order to log in as the computer owner." * Multiple Users "A problem has been corrected that allowed Normal users to remove the Users & Groups Data file in order to access the computer owner's account. Also, users can no longer move or delete many other important system files or folders. However, it's important to note that it is impossible to be absolutely sure that no user will be able to make changes that cause havoc on the system." I don't know if Todd ever heard anything -- I referred them to him when I reported this to Apple's BugReporter -- but I never heard anything back after the initial automated ACK. Moving to UNIX-based Mac OS X with several services enabled by default I hope Apple will give security a higher priority. When I bugged Wilfredo Sanches (former Darwin lead) about that a few months ago there were no plans for this. :-(
This archive was generated by hypermail 2b30 : Sun Apr 22 2001 - 04:31:34 PDT