security breach?

This message is not archived

Russ Dumke <russelldumke.DeleteThis@sbcglobal.net> writes:
>
> I have updated to 10.4.6, and twice after running disk utility i have
> gotten this log entry:
>
> Apr 17 15:39:40: Disk Utility started.
>
> Repairing permissions for ³Macintosh HD
> Determining correct file permissions.
> Permissions differ on ./private/var/log/secure.log, should be -rw-------
> , they are -rw-r-----
> Owner and group corrected on ./private/var/log/secure.log
> Permissions corrected on ./private/var/log/secure.log
>
> Permissions repair complete
>
> The privileges have been verified or repaired on the selected volume
>
> Is this serious? Has anyone else gotten this?

Yes, we've all seen it. And no, it's not a security breach. But it is
a bug that could be used as a part of an exploit if you regularly work
from an administrator account.

The secure log's permissions are supposed to be -rw-------, which means
that only the root account can read and write it.

There is a bug is the daily periodic task that changes this every
night. More specifically, it deletes the oldest secure log and then
renames all the remaining ones, and creates a new most-recent secure.log
file. (This is what log-rotation means). When it does so, it creates
the new log file as -rw-r-----, which means that any user in the admin
group can read the file.

If neither you nor any of your other users work from an admin account,
then this bug means nothing, since the file will not be readable.

If you normally work from an admin account, and you accidentally install
a piece of malware, it might be able to use the log file's information
as a part of an exploit. The secure log keeps track of successful and
failed authentication attempts, for a variety of programs, so it could
be used to determine what accounts have recently been used with which
services to access the computer.

-- David

Howard S Shubs wrote:

> Sorry, going off on a tangent.
>
> Why is it that the first time I read the subject of this thread, I saw
> "security bleach"? Am I becoming Chinese?

Don't knock security bleach. I once had a girlfriend that used it and
her underwear was not only whiter than white, but also totally
impenetrable.

As for the confusion of R's and L's, I would like to point out that
Asians are not the only ones who confuse the two letters. They are
universally confused by English speakers as well.

How do /you/ pronounced *colonel* ? Have you ever heard of the female
name *Kathleen* (or Cathleen?) It's a variation of *Katherine* (or
Catherine,) by English speakers who don't always differentiate between
R and L, but use them interchangeably.

The foregoing further demonstrates that English speakers frequently
don't differentiate between their K's and their C's.

I don't know much Chinese, but I speak Lao and Thai. Some consonants,
vowels, and dipthongs that are quite distinct to the ears of native
speakers of these languages are not differentiated by westerners.

Davoud

--
usenet *at* davidillig dawt com

In article <180420060900213570%star@sky.net>, Davoud <star.TakeThisOut@sky.net>
wrote:

> Don't knock security bleach. I once had a girlfriend that used it and
> her underwear was not only whiter than white, but also totally
> impenetrable.

"once had", yeah, that'd do it. Impenetrable underwear. <sigh>


> As for the confusion of R's and L's, I would like to point out that
> Asians are not the only ones who confuse the two letters. They are
> universally confused by English speakers as well.

True. Consider that I'm a native English (well, American) speaker, and
I'm the one who misread it in the first place.


> I don't know much Chinese, but I speak Lao and Thai. Some consonants,
> vowels, and dipthongs that are quite distinct to the ears of native
> speakers of these languages are not differentiated by westerners.

Note the on my comment.

--
We are the music makers, And we are the dreamers of dreams,
Wandering by lone sea-breakers, And sitting by desolate streams.
from "Ode", Arthur O'Shaughnessy

In article <m2lku36gb1.fsf.RemoveThis@qqqq.invalid>, shamino.RemoveThis@techie.com (David C.)
wrote:

> Russ Dumke <russelldumke.RemoveThis@sbcglobal.net> writes:
> >
> > I have updated to 10.4.6, and twice after running disk utility i have
> > gotten this log entry:
> >
> > Apr 17 15:39:40: Disk Utility started.
> >
> > Repairing permissions for ³Macintosh HD
> > Determining correct file permissions.
> > Permissions differ on ./private/var/log/secure.log, should be -rw-------
> > , they are -rw-r-----
> > Owner and group corrected on ./private/var/log/secure.log
> > Permissions corrected on ./private/var/log/secure.log
> >
> > Permissions repair complete
> >
> > The privileges have been verified or repaired on the selected volume
> >
> > Is this serious? Has anyone else gotten this?
>
> Yes, we've all seen it. And no, it's not a security breach. But it is
> a bug that could be used as a part of an exploit if you regularly work
> from an administrator account.
>
> The secure log's permissions are supposed to be -rw-------, which means
> that only the root account can read and write it.
>
> There is a bug is the daily periodic task that changes this every
> night. More specifically, it deletes the oldest secure log and then
> renames all the remaining ones, and creates a new most-recent secure.log
> file. (This is what log-rotation means). When it does so, it creates
> the new log file as -rw-r-----, which means that any user in the admin
> group can read the file.
>
> If neither you nor any of your other users work from an admin account,
> then this bug means nothing, since the file will not be readable.
>
> If you normally work from an admin account, and you accidentally install
> a piece of malware, it might be able to use the log file's information
> as a part of an exploit. The secure log keeps track of successful and
> failed authentication attempts, for a variety of programs, so it could
> be used to determine what accounts have recently been used with which
> services to access the computer.
>
> -- David

Thank you for the reply. FWIW, I just tried running DU after doing the
daily cron job via MacJanitor, and I didn't see the problem, so I'm not
sure if it's a daily thing or not. I hope Apple knows about and fixes
this bug soon.

Russ

Russ Dumke <russelldumke RemoveThis @sbcglobal.net> writes:
>
> Thank you for the reply. FWIW, I just tried running DU after doing the
> daily cron job via MacJanitor, and I didn't see the problem, so I'm
> not sure if it's a daily thing or not. I hope Apple knows about and
> fixes this bug soon.

Sorry. I should've checked more closely. Secure.log is rotated by the
weekly script.

Log rotation is actually done by all three scripts (for different logs).

The daily script rotates these files:
/var/account/acct
system.log

The weekly script rotates these files:
ftp.log
http/error_log
httpd/access_log
hwmond.log
ipfw.log
lookupd.log
lpr.log
mail.log
netinfo.log
ppp.log
secure.log

The monthly script rotates these files:
fax/*.log
install.log
wtmp

The fix for the problem is to copy the log-rotation section of the
weekly script. One copy should only rotate secure.log, the other should
have secure.log removed from its list. Then in the block rotating
secuire.log, change the permissions (the chmod command) from 640 to 600.

You can do it if you don't want to wait for Apple to fix this.

But as I wrote, this bug really means nothing unless you normally work
from an admin account, which is bad security practice in the first place.

-- David

Howard S Shubs <howard RemoveThis @shubs.net> wrote:
> Note the on my comment.

An intruder that does not occur in any of my usual areas of discourse


What set of signs does it belong to? What does it signify?

--
Hylton

In article <1he27iu.kf84ld1ajvtiiN%uo-wgo@qvepba.pb.hx.invalid>,
uo-wgo.RemoveThis@qvepba.pb.hx.invalid (Hylton Boothroyd) wrote:

> Howard S Shubs <howard.RemoveThis@shubs.net> wrote:
> > Note the on my comment.
>
> An intruder that does not occur in any of my usual areas of discourse
>
>
> What set of signs does it belong to? What does it signify?

Like your smiley, except with a bigger smile.

--
We are the music makers, And we are the dreamers of dreams,
Wandering by lone sea-breakers, And sitting by desolate streams.
from "Ode", Arthur O'Shaughnessy

In article <m2wtdlpezl.fsf DeleteThis @qqqq.invalid>, shamino DeleteThis @techie.com (David C.)
wrote:

> Russ Dumke <russelldumke DeleteThis @sbcglobal.net> writes:
> >
> > Thank you for the reply. FWIW, I just tried running DU after doing the
> > daily cron job via MacJanitor, and I didn't see the problem, so I'm
> > not sure if it's a daily thing or not. I hope Apple knows about and
> > fixes this bug soon.
>
> Sorry. I should've checked more closely. Secure.log is rotated by the
> weekly script.
>
> Log rotation is actually done by all three scripts (for different logs).
>
> The daily script rotates these files:
> /var/account/acct
> system.log
>
> The weekly script rotates these files:
> ftp.log
> http/error_log
> httpd/access_log
> hwmond.log
> ipfw.log
> lookupd.log
> lpr.log
> mail.log
> netinfo.log
> ppp.log
> secure.log
>
> The monthly script rotates these files:
> fax/*.log
> install.log
> wtmp
>
> The fix for the problem is to copy the log-rotation section of the
> weekly script. One copy should only rotate secure.log, the other should
> have secure.log removed from its list. Then in the block rotating
> secuire.log, change the permissions (the chmod command) from 640 to 600.
>
> You can do it if you don't want to wait for Apple to fix this.
>
> But as I wrote, this bug really means nothing unless you normally work
> from an admin account, which is bad security practice in the first place.
>
> -- David

Hmmmm... I do run as admin (i've seen some reports on the net about
problems that occur when you don't). I'm afraid you lost me on the fix
(copying the log-rotation section of the weekly script). How exactly
would I do this?

Russ

Russ Dumke <russelldumke.TakeThisOut@sbcglobal.net> writes:
>
> Hmmmm... I do run as admin (i've seen some reports on the net about
> problems that occur when you don't).

In the Windows world, lots of stuff breaks if you're not an admin.

In the Mac world, I only know of one program that breaks - the help
system in Adobe Photoshop. This is because the system is an embedded
web browser (Opera in Photoshop Elements 3), and it caches the pages in
the application package itself - which you therefore have to be able to
write to.

A very bad design, IMO. I have noticed, however, that if you launch the
app from an admin account, and pull up the help system once (to populate
whatever it needs in the cache), you can then work from a non-admin
account afterwards.

> I'm afraid you lost me on the fix (copying the log-rotation section of
> the weekly script). How exactly would I do this?

Please don't take this as a blow-off answer, but if you don't understand
shell scripts enough to be able to figure it out from what I've written
so far, I don't think it would be a good idea for you to try. A mistake
could render your periodic tasks non-functional. Future Apple updates
may or may not overwrite your changes, depending on how they wrote their
update scripts.

As I wrote before, there's a block of code in the weekly script that
rotates a large number of log files. You'd have to copy that code and
make different modifications to each set of code. Rig one copy to do
what it's doing already, but without the secure log. Rig the other one
to only work on the secure log, and apply different permissions to the
newly-created logfile.

-- David

Howard S Shubs <howard.TakeThisOut@shubs.net> wrote:

> In article <1he27iu.kf84ld1ajvtiiN%uo-wgo@qvepba.pb.hx.invalid>,
> uo-wgo.TakeThisOut@qvepba.pb.hx.invalid (Hylton Boothroyd) wrote:
>
> > Howard S Shubs <howard.TakeThisOut@shubs.net> wrote:
> > > Note the on my comment.
> >
> > An intruder that does not occur in any of my usual areas of discourse
> >
> >
> > What set of signs does it belong to? What does it signify?
>
> Like your smiley, except with a bigger smile.

Aaahhhh! Thanks

--
Hylton

In article <m2odywj6m3.fsf.DeleteThis@qqqq.invalid>, shamino.DeleteThis@techie.com (David C.)
wrote:

> Russ Dumke <russelldumke.DeleteThis@sbcglobal.net> writes:
> >
> > Hmmmm... I do run as admin (i've seen some reports on the net about
> > problems that occur when you don't).
>
> In the Windows world, lots of stuff breaks if you're not an admin.
>
> In the Mac world, I only know of one program that breaks - the help
> system in Adobe Photoshop. This is because the system is an embedded
> web browser (Opera in Photoshop Elements 3), and it caches the pages in
> the application package itself - which you therefore have to be able to
> write to.
>
> A very bad design, IMO. I have noticed, however, that if you launch the
> app from an admin account, and pull up the help system once (to populate
> whatever it needs in the cache), you can then work from a non-admin
> account afterwards.
>
> > I'm afraid you lost me on the fix (copying the log-rotation section of
> > the weekly script). How exactly would I do this?
>
> Please don't take this as a blow-off answer, but if you don't understand
> shell scripts enough to be able to figure it out from what I've written
> so far, I don't think it would be a good idea for you to try. A mistake
> could render your periodic tasks non-functional. Future Apple updates
> may or may not overwrite your changes, depending on how they wrote their
> update scripts.
>
> As I wrote before, there's a block of code in the weekly script that
> rotates a large number of log files. You'd have to copy that code and
> make different modifications to each set of code. Rig one copy to do
> what it's doing already, but without the secure log. Rig the other one
> to only work on the secure log, and apply different permissions to the
> newly-created logfile.
>
> -- David

Thanks for the feedback. I don't recall what it was that allegedly
didn't work under a user account, and I don't recall exactly where I
read it (I seem to recall Macfixit or Rixstep). I think it was more than
you say, though, and it persuaded me not to set one up. I didn't see
that your solution involved shell scripts. I have no experience with
these, but now that I know what you have in mind, I can go back to it
should I ever acquire that expertise.

Russ