Re: Mac OS 9 Multiple Users Control Panel Password Vulnerability

[Josh Turiel <JTuriel () HOLYOKEMUTUAL COM>]

On Fri, 29 Dec 2000, Todd Kirby wrote:

> Mac OS 9.04 comes with a 'Multiple Users' Control
> Panel that allows an administrator (called 'Owner') to
> create user accounts (called 'Normal' users) with
> limited access to the computer.

I'm not sure I would consider this an earth-shattering issue per se.
Multiple Users is essentially a neat hack that allows a fundamentally
single-user system to be used by more than one "regular" user, not a real
multi-user system itself.  The major design goal to Multiple Users security
appears to be making it difficult for one assigned user to screw up
preferences and settings for another user of the same system.

As it stands, the existing functionality is more on a par with the security
built-in to Windows 95 than that of Unix (or even Windows NT).  We should
obviously expect better from MacOS X (based on Unix, so the bar is higher).

As for the AppleShare IP ramifications, unless the System Folder of the
target server is shared, or the attacker has physical access to the system,
then the data file needed should not be accessible or visible.

Those who rely on Multiple Users for system security should, however, do two
things routinely:

1: Do not allow users to access the System Folder
2: Do not assume that the system is actually keeping things secure

Then pray that OS X is sufficiently secure... :-)

--
Josh Turiel, Network Services Manager
Holyoke Mutual Insurance Co. in Salem
jturiel () holyokemutual com