Bugtraq mailing list archives
Re: Mac OS 9 Multiple Users Control Panel Password Vulnerability
From: Josh Turiel <JTuriel () HOLYOKEMUTUAL COM>
Date: Wed, 3 Jan 2001 08:09:46 -0500
On Fri, 29 Dec 2000, Todd Kirby wrote:
Mac OS 9.04 comes with a 'Multiple Users' Control Panel that allows an administrator (called 'Owner') to create user accounts (called 'Normal' users) with limited access to the computer.
I'm not sure I would consider this an earth-shattering issue per se. Multiple Users is essentially a neat hack that allows a fundamentally single-user system to be used by more than one "regular" user, not a real multi-user system itself. The major design goal to Multiple Users security appears to be making it difficult for one assigned user to screw up preferences and settings for another user of the same system. As it stands, the existing functionality is more on a par with the security built-in to Windows 95 than that of Unix (or even Windows NT). We should obviously expect better from MacOS X (based on Unix, so the bar is higher). As for the AppleShare IP ramifications, unless the System Folder of the target server is shared, or the attacker has physical access to the system, then the data file needed should not be accessible or visible. Those who rely on Multiple Users for system security should, however, do two things routinely: 1: Do not allow users to access the System Folder 2: Do not assume that the system is actually keeping things secure Then pray that OS X is sufficiently secure... :-) -- Josh Turiel, Network Services Manager Holyoke Mutual Insurance Co. in Salem jturiel () holyokemutual com
Current thread:
- Mac OS 9 Multiple Users Control Panel Password Vulnerability Todd Kirby (Jan 02)
- Re: Mac OS 9 Multiple Users Control Panel Password Vulnerability K. M. Ellis (Jan 02)
- <Possible follow-ups>
- Re: Mac OS 9 Multiple Users Control Panel Password Vulnerability Josh Turiel (Jan 03)