Re: Another Mac OS X ScreenSaver Security Issue (after Security Update 2003-07-14)

[Barry Fitzgerald <bkfsec () sdf lonestar org>]

MightyE wrote:

> If anything I'd call this a security consideration of Escape Pod.  
> Perhaps Escape Pod should try to talk to the process it's about to 
> kill, and get its 'permission' for killing, and failing a timely 
> response (2 secs?), drop the program.  ScreenSaverEngine would have to 
> be tailored to respond to such a request.
>
> On Linux, doesn't xscreensaver run as root?  Wouldn't this be another 
> option here (I'm admittedly unfamiliar with Mac OS X), preventing 
> Escape Pod from even being capable of terminating the screensaver 
> process?  Or does Escape Pod also run as root?
>
> If you ask me, Escape Pod owes it to their users to develop the 
> product in such a way so to not nullify reasonable security measures 
> on the part of the OS, even if that's an option to never terminate 
> processes named ScreenSaverEngine.
>
> -MightyE

You read my mind on this one.  However, one of the complaints I've heard 
about having xscreensaver as a SUID root binary is that an exploitable 
vulnerability (buffer overflow, et al) in the xscreensaver binary could 
allow an attacker even greater elevated priviledges (much worse than 
simply killing ScreenSaverEngine)... a solution to this would be running 
the ScreenSaverEngine SUID some other user (like, oh, maybe 
"screensaver")... and that should stop a usermode program from killing 
the screensaver.  Unless, as you mentioned, that usermode program were 
running as SUID root - in which case I'd have to ask: Why in the name of 
$DEITY are you running a program that can kill any process on the screen 
as root?!?

      -Barry

p.s. I don't have a Mac OS X system on hand nor do I have access to 
one.  I have no way to test the plausibility of this solution on that 
particular system. :)