Return-Path: owner-bugtraq@SECURITYFOCUS.COM
X-Priority: 3
MIME-Version: 1.0
Content-Type: text/plain; Charset=US-ASCII
Message-ID:  <20010420150832-b01010701-52da31c0@192.168.1.6>
Date:         Fri, 20 Apr 2001 15:05:14 +0200
Reply-To: Terje Bless <link@TSS.NO>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Terje Bless <link@TSS.NO>
Subject:      [FYI] Mac OS 9 Multiple Users weakness fixed (was: Mac OS 9
              Multiple Users Control Panel Password Vulnerability)
X-cc:         Todd Kirby <kirbyt@yahoo.com>
To: BUGTRAQ@SECURITYFOCUS.COM

On Fri Dec 29 2000 12:53:57, Todd Kirby <kirbyt@yahoo.com> wrote:

>Mac OS 9.04 comes with a 'Multiple Users' Control Panel that allows an
>administrator (called 'Owner') to create user accounts (called 'Normal'
>users) with limited access to the computer.
>
>The problem is that the Owner password can be removed by a Normal user by
>moving the 'Users & Groups Data File and logging back in using the Owner
>account, giving full access to the machine.

The above problem has been fixed by Apple in Macintosh Manager 1.4. See the
following URLs for the info:

* <URL:http://asu.info.apple.com/swupdates.nsf/artnum/n12046/>

- Macintosh Manager 1.4
  "Various files and folders in the System Folder are now protected from
   users who are logged in as Normal users (in Multiple Users). This
   addresses a security hole that allowed Normal users to remove the
   Users & Groups Data file in order to log in as the computer owner."

* Multiple Users
  "A problem has been corrected that allowed Normal users to remove the
   Users & Groups Data file in order to access the computer owner's
   account. Also, users can no longer move or delete many other important
   system files or folders. However, it's important to note that it is
   impossible to be absolutely sure that no user will be able to make
   changes that cause havoc on the system."

I don't know if Todd ever heard anything -- I referred them to him when I
reported this to Apple's BugReporter -- but I never heard anything back
after the initial automated ACK. Moving to UNIX-based Mac OS X with several
services enabled by default I hope Apple will give security a higher
priority. When I bugged Wilfredo Sanches (former Darwin lead) about that a
few months ago there were no plans for this. :-(