Storage R Us

Earlier this week this simple RemoteDesktop Exploit was rather publicly posted to demonstrate a simple privilege escalation hole in Mac OS X:

$ osascript -e 'tell app "ARDAgent" to do shell script "whoami"' 

this of course means that's it's equally easy to strip the SUID bit ..

$ osascript -e 'tell app "ARDAgent" to do shell script "chmod u-s /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent"'

then to fix the repair permissions issue - you can leverage pkgutil .. at a cursory glance .. this appears to work - just hacked it up and tested a few times with diskutil verifypermissions .. but of course this uncovers a similar sort of hole for one to be able to modify file permissions on arbitrary files through installdb

$ pkgutil --file-info /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent
volume: /
path: System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent

pkgid: com.apple.pkg.Essentials
pkg-version: 10.5.0.1.1.1192168948
install-time: 1200277772
uid: 0
gid: 0
mode: 104755
sha1: <505820aa a957116c 5b2e15ea 8ffc99f9 edbd16cc>

pkgid: com.apple.pkg.update.os.10.5.2.combo
pkg-version: 1.0.1.1191932192
install-time: 1202398439
uid: 0
gid: 0
mode: 104755
sha1: <3d89f524 1f845336 27b0406d ed0f2251 89164ccf>

here we'd like to change the permissions to 100755 (33261 in decimal) instead of 104755 (35309) so - it looks like we can dump the plist for the last update

$ pkgutil --export-plist com.apple.pkg.update.os.10.5.2.combo > ~/fix.plist

then find the entry for

System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent

modify the mode, change the name of the pkgid, and import the new plist:

$ pkgutil --import-plist ~/fix.plist
$ pkgutil --file-info /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent
volume: /
path: System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent

pkgid: com.apple.pkg.Essentials
pkg-version: 10.5.0.1.1.1192168948
install-time: 1200277772
uid: 0
gid: 0
mode: 104755
sha1: <505820aa a957116c 5b2e15ea 8ffc99f9 edbd16cc>

pkgid: com.apple.pkg.update.os.10.5.2.combo
pkg-version: 1.0.1.1191932192
install-time: 1202398439
uid: 0
gid: 0
mode: 104755
sha1: <3d89f524 1f845336 27b0406d ed0f2251 89164ccf>

pkgid: com.apple.pkg.update.os.10.5.2.combo.fix
pkg-version: 1.0.1.1191932192
install-time: 1213921289
uid: 0
gid: 0
mode: 100755

now - with this technique you could realistically introduce new files and "fix" their permissions with diskutil .. hrm

there's also probably a cleaner way to update the pkg database than this .. i guess you could build a new bom file, but /Library/Receipts/boms is owned by _installer:wheel .. so you'd need to escalate permissions (or sudo) to drop something there

If you haven't played with it yet: Google Maps really is one of the better interfaces out there. Smooth zoom, and clear detailed road layout with a preload, clean recentering, and smooth dragging makes this all pretty nice. Of course it is rather US centric, and if you zoom on the default map you'll find that the coffeyville country club in kansas is the center of the world! The relevance of results from their local search is a little funny if you don't have an exact business name .. for example a search for "thread stores" in Soho gave us things like "The MoMA design store", "the Apple store" (presumably matching on store), and KidRobot .. none of which carry any sort of thread. A search on just "thread" seems to yield much better results.

Overall with google, I guess Sergey Brin and his team seem to be setting a number of standards. I do remember his geeky face from many late nights in the old WAM labs - hacking on the old NeXT black boxes. I do appreciate their initial work they did back at Stanford on deterministic relevance. It's a pity that they haven't developed a better business model, and seem to have forgotten most of their academic roots. It's nice that the ads are a little less intrusive looking, but just like Red Hat, motives often become questionable when you cross over into that corporate realm. Good to see his dad still teaching math at UMD though. I guess the contributions back into academia are probably key for real innovation and growth .. funny how much you can lose focus when you put on the million dollar corporation hat (and yes i know it's ironic writing this on a sun blog .. i guess i'm just jealous i don't have the $4B and my stock [of which i have admirably fewer shares] are at 1/45th their value with worthless options i can buy at 10x our current price)

Fun with the in-laws

ok .. spent some time looking at quartz (most extreme window manager) and apple's hodgepodge of "XFree .. no opendesktop .. no X.org .. eh who cares who gets the credit" proprietary hook hacks (erm .. i mean improvements .. odd they don't pass out the good stuff) .. and decided to continue with my apple rantings ..

(yep .. that's woz and jobs, courtesy of woz' site)

i know they're onto something .. i keep coming back to them and staring at their stuff .. i also like that they make an effort with opensource for their staple .. but there's something inherently different, something missing in my mind .. there's not enough woz left in the soul of apple and way too much steve .. the picture above from Wozniack's site says it all .. just look at how the image of steve is a harrowingly familiar foreshadowed spectre to the hip mac crowd .. i can't count the number of times that i'll be looking at a mac or apple product and somebody comes over, often looking (or trying to look) like steve in this picture, and starts picking on what you're working with or looking at without even acknowledging your presence .. i mean there's something oddly anti-relational and aloof that seems to get transcended through to mac users (ok, ok, i'm stereotyping heavily here) - but it's even present in the interface .. it's like the hip cool blue plasticky box that's trying to be professional by adopting the geriatric silver "i'm an expensive luxury vehicle - so you can feel comfortable paying twice the price for my quality product" look .. and that's the part that they leave out of opensource, because it's what they want to own and what they can't opensource - their branding .. imho, macs never fully caught their potential in the 80's because they were too much of a fad .. and now 20 years later when the new generation of kids get exposed to the same thing, history repeats itself.

i'd much rather see computing naturally blended into an environment .. i mean come on, we look like freaks these days with wires sticking out of our heads and electronic notebooks with antiquated typewriter driven keypads producing drivel on oddly lit fragile screens .. someday we'll look back at the pictures and commercials of this generation and laugh .. just like we do when we see the huge cellphones from the early 90's or think about 8-tracks, betamax, and laserdiscs