Fwd: permission issues on Apple OSX

[KF <dotslash () snosoft com>]

Begin forwarded message:

> <vuln-dev () lists securityfocus com>:
> ezmlm-reject: fatal: Sorry, I don't accept messages of MIME 
> Content-Type 'multipart/alternative' (#5.2.3)
>
> --- Below this line is a copy of the message.
>
> Attached is some questions I had on file system permissions.
>
>
> --Apple-Mail-1355773572-2
> Content-Disposition: attachment;
>         filename="permissions.txt"
> Content-Type: text/plain;
>         name="permissions.txt";
>         x-unix-mode=0644
> Content-Transfer-Encoding: quoted-printable
>
> I am confused as to how permissions are set on symbolic links and normal
> files created by the average joe schmoe user with standard privs on 
> OSX.=20=
>
> My exact version info is ... Darwin Kernel Version 1.3.7: Sat=20
> Jun  9 11:12:48 PDT 2001; root:xnu/xnu-124.13.obj~1/RELEASE_PPC=20
> on OSX 10.0.4 Build 4Q12.  Let me walk you through my confusion.=20
>
> Clicked System Prefs then went to users and filled out the form to 
> make =
> a user.
> I made sure I did not check the box to allow this user to admin the box
>
> Telnet in and login as joeschmoe
> [osxinsightrrcom:/tmp] root# telnet localhost
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
>
> Darwin/BSD (osxinsightrrcom) (ttyp3)
>
> login: joeschmoe
> Password:
> Welcome to Darwin!
> [osxinsightrrcom:~] joeschmo% id
> uid=3D504(joeschmo) gid=3D20(staff) groups=3D20(staff)
>
> Looks like the only groups I am in are staff.=20
>
> [osxinsightrrcom:~] joeschmo% pwd
> /Users/joeschmo
> [osxinsightrrcom:~] joeschmo% touch file=20
> [osxinsightrrcom:~] joeschmo% ls -al file
> -rw-r--r--  1 joeschmo  staff  0 Sep 30 19:53 file
>
> all looks fine here uid=3Djoeschmoe gid=3Dstaff
>
> Move to /tmp and do the same thing.=20
> This is the first thing I find odd is the file is now=20
> uid=3Djoeschmoe and gid=3Dwheel instead of gid=3Dstaff.=20
>
> [osxinsightrrcom:~] joeschmo% cd /tmp
> [osxinsightrrcom:/tmp] joeschmo% touch file=20
> [osxinsightrrcom:/tmp] joeschmo% ls -al file
> -rw-r--r--  1 joeschmo  wheel  0 Sep 30 20:05 file
>
> Now lets try an ln because its even weirder. Now perms are=20
> uid=3Droot gid=3Dwheel which makes no sense to me.=20
> ( I was attempting to exploit man so don't mind the file names)=20
>
> [osxinsightrrcom:/tmp] joeschmo% ln -s /etc/issue man.000112
> [osxinsightrrcom:/tmp] joeschmo% ls -al man.000112
> lrwxrwxrwt  1 root  wheel  10 Sep 30 20:07 man.000112 -> /etc/issue
>
> Same command in my home dir. Whats the deal here? Why is it=20
> uid=3Djoeschmoe and gid=3Dstaff here but not in /tmp
> [osxinsightrrcom:~] joeschmo% ln -s /etc/issue man.000112
> [osxinsightrrcom:~] joeschmo% ls -al man.*
> lrwxr-xr-x  1 joeschmo  staff  10 Sep 30 20:10 man.000112 -> /etc/issue
>
> /tmp is a Symbolic link to /private so lets see what it looks like
> [osxinsightrrcom:/private/cores] joeschmo% ls -al /tmp
> lrwxrwxr-t  1 root  admin  11 Sep 30 19:12 /tmp -> private/tmp
> [osxinsightrrcom:/private/cores] joeschmo% ls -al /private/
> total 0
> drwxr-xr-x   7 root  wheel   194 Sep 30 13:31 .
> drwxrwxr-t  26 root  admin   840 Sep 30 19:12 ..
> drwxr-xr-x   3 root  wheel   264 Apr 27 08:30 Drivers
> drwxrwxrwt   3 root  wheel    58 Sep 30 20:12 cores
> drwxr-xr-x  59 root  wheel  1962 Sep 29 16:51 etc
> drwxrwxrwt   7 root  wheel   194 Sep 30 20:07 tmp
> drwxr-xr-x  17 root  wheel   534 Sep 30 13:31 var
>
> cores and tmp seem to have the same perms so the same issue applys 
> there =
> also
> [osxinsightrrcom:/private/cores] joeschmo% ln -s /etc/issue man.000112
> [osxinsightrrcom:/private/cores] joeschmo% ls -al man.*
> lrwxrwxrwt  1 root  wheel  10 Sep 30 20:12 man.000112 -> /etc/issue
>
> Can anyone tell me whats going on here?=20
>
> -KF
>
>
> --Apple-Mail-1355773572-2--
>
> --Apple-Mail-763401367-1--