I was all stoked to run a web site on OS X cuz more than a few folks
rave on it over Linux (mostly in re ease of maintenance), but the person
I want to set this up for me says OS X bites as bad as win32 for
security. whoa.
Any all feedback welcome.
btw, I noticed on the Portable AllegroServe site that OpenMCL is
supported, but also something about the strength of the port varying
from platform to platform. So... where does OpenMCL rank?
Thx.
--
Kenny
Why Lisp? http://lisp.tech.coop/RtL%20Highlight%20Film
"If you plan to enter text which our system might consider to be
obscene, check here to certify that you are old enough to hear the
resulting output." -- Bell Labs text-to-speech interactive Web page
Kenny Tilton wrote:
> I was all stoked to run a web site on OS X cuz more than a few folks
> rave on it over Linux (mostly in re ease of maintenance), but the person
> I want to set this up for me says OS X bites as bad as win32 for
> security. whoa.
>
> Any all feedback welcome.
My wife has an iBook, and I run FreeBSD (the core of OS X) on my boxes.
I'm not an expert on this, but I have heard and read that Mac changes
the permissions on a lot of files in OS X to make things work, at the
expense of security. The best security they have is that x86 code
doesn't run on their CPU.
jonathon wrote:
>
> Kenny Tilton wrote:
>
>>I was all stoked to run a web site on OS X cuz more than a few folks
>>rave on it over Linux (mostly in re ease of maintenance), but the person
>>I want to set this up for me says OS X bites as bad as win32 for
>>security. whoa.
>>
>>Any all feedback welcome.
>
>
> My wife has an iBook, and I run FreeBSD (the core of OS X) on my boxes.
> I'm not an expert on this, but I have heard and read that Mac changes
> the permissions on a lot of files in OS X to make things work, at the
> expense of security. The best security they have is that x86 code
> doesn't run on their CPU.
>
uh-oh. Grab those PowerPC Macs while we can? :)
thx for the input.
--
Kenny
Why Lisp? http://lisp.tech.coop/RtL%20Highlight%20Film
"If you plan to enter text which our system might consider to be
obscene, check here to certify that you are old enough to hear the
resulting output." -- Bell Labs text-to-speech interactive Web page
"jonathon" <···········@bigfoot.com> writes:
> My wife has an iBook, and I run FreeBSD (the core of OS X) on my boxes.
> I'm not an expert on this, but I have heard and read that Mac changes
> the permissions on a lot of files in OS X to make things work, at the
> expense of security.
Apple can change this in a very simple manner: Tell the user (during
the installation process) that the first account is for admin work
only, and force her to create at least one second account without
admin privileges. You should help your wife to do something similar,
otherwise she is running with privileges a little too close to those
of root (the main problem is that the admin account has group write
permission to /Applications, this is a silly thing that they could
have getten rid of by version 10.3, which is able to use sudo for
copying to /Applications via Finder anyway).
But except for this, the out-of-the-box security of OS X is not bad at
all, e.g. it doesn't turn on all kinds of unused services by default
like most unixen used to do. If you never log in as the admin user,
turn on the fw (ipfw, with an easy-to-use gui interface) and install
all the security updates, you're pretty safe with an OS X box, but
of course you need to regularily upgrade your social engineering
detection device, too...
(I think I'd actually recommend OS X over even OpenBSD box for most
users, since it's easier to make safe for an unexperienced user, and
an order of magnitude easier to upgrade when fixes arrive. Apple
hasn't always been quote fast enough with their patches, though)
--
(espen)
On Thu, 09 Jun 2005 10:21:05 +0200, <·····@vestre.net> wrote:
> "jonathon" <···········@bigfoot.com> writes:
>
>> My wife has an iBook, and I run FreeBSD (the core of OS X) on my boxes.
>> I'm not an expert on this, but I have heard and read that Mac changes
>> the permissions on a lot of files in OS X to make things work, at the
>> expense of security.
>
> Apple can change this in a very simple manner: Tell the user (during
> the installation process) that the first account is for admin work
> only, and force her to create at least one second account without
> admin privileges. You should help your wife to do something similar,
> otherwise she is running with privileges a little too close to those
> of root (the main problem is that the admin account has group write
> permission to /Applications, this is a silly thing that they could
> have getten rid of by version 10.3, which is able to use sudo for
> copying to /Applications via Finder anyway).
>
> But except for this, the out-of-the-box security of OS X is not bad at
> all, e.g. it doesn't turn on all kinds of unused services by default
Alas, it suffers from several local root exploits, and probably more
(I remember a glut of Bugtraq posts when it was released). You should
check Bugtraq archives for details. Misconfigured web services or the
more common holes in various 3rd party products allow remote access to
those local exploits.
--
With sufficient thrust, pigs fly fine.
GP lisper <········@CloudDancer.com> writes:
> On Thu, 09 Jun 2005 10:21:05 +0200, <·····@vestre.net> wrote:
>> "jonathon" <···········@bigfoot.com> writes:
>>
>>> My wife has an iBook, and I run FreeBSD (the core of OS X) on my boxes.
>>> I'm not an expert on this, but I have heard and read that Mac changes
>>> the permissions on a lot of files in OS X to make things work, at the
>>> expense of security.
>>
>> Apple can change this in a very simple manner: Tell the user (during
>> the installation process) that the first account is for admin work
>> only, and force her to create at least one second account without
>> admin privileges. You should help your wife to do something similar,
>> otherwise she is running with privileges a little too close to those
>> of root (the main problem is that the admin account has group write
>> permission to /Applications, this is a silly thing that they could
>> have getten rid of by version 10.3, which is able to use sudo for
>> copying to /Applications via Finder anyway).
>>
>> But except for this, the out-of-the-box security of OS X is not bad at
>> all, e.g. it doesn't turn on all kinds of unused services by default
>
>
> Alas, it suffers from several local root exploits, and probably more
> (I remember a glut of Bugtraq posts when it was released). You should
> check Bugtraq archives for details. Misconfigured web services or the
> more common holes in various 3rd party products allow remote access to
> those local exploits.
What do you mean by "it"? Mac OS X 10.0 without any patches,
or a fully patched 10.4.1?
--
Raymond Wiker Mail: ·············@fast.no
Senior Software Engineer Web: http://www.fast.no/
Fast Search & Transfer ASA Phone: +47 23 01 11 60
P.O. Box 1677 Vika Fax: +47 35 54 87 99
NO-0120 Oslo, NORWAY Mob: +47 48 01 11 60
On Thu, 09 Jun 2005 04:08:22 GMT, <·······@nyc.rr.com> wrote:
>
>
> I was all stoked to run a web site on OS X cuz more than a few folks
> rave on it over Linux (mostly in re ease of maintenance), but the person
> I want to set this up for me says OS X bites as bad as win32 for
> security. whoa.
>
> Any all feedback welcome.
A brief glance thru my Bugtraq archives tends to back that claim up.
Looks like the basic chroot jail is a necessity for OS X. You should
review the Bugtraq archives yourself, should you decide to continue.
Note that many people fail to consider the wire speed when deciding on
a web-box, e.g. Sparc Classics work well for static sites on DSL.
--
With sufficient thrust, pigs fly fine.
OS X has had at least one version that was vulnerable to a drive-by
install, where you visit a site, and software gets installed without
you knowing about it, and it also has been vulnerable to a local root
for a long while. All in all, I would (maybe) put it slightly ahead of
windows, but only in terms of the number of exploits. It is nothing
close to the other bsds and linuxen.
OS X drive-by install software:
http://stephan.com/widgets/zaptastic/
OS X local root:
http://www.networksecurityarchive.org/html/Bugtraq/2004-12/msg00074.html
Note that this could get you into a situation in which a user on a
non-root account could visit a site, and get software that will be
uninstallable by anyone but root. Not so cool.
> OS X drive-by install software:
> http://stephan.com/widgets/zaptastic/
Addressed as of 10.4.1.
> OS X local root:
> http://www.networksecurityarchive.org/html/Bugtraq/2004-12/msg00074.html
Also fixed on self-same security update.
> Note that this could get you into a situation in which a user on a
> non-root account could visit a site, and get software that will be
> uninstallable by anyone but root. Not so cool.
Actually, that's not the case. The drive-by install could download and
position the widgets, but could not cause them to execute.
Mac OS X's security has traditionally been fairly good. As with any
desktop linux distro, holes do pop up, but tend to be fixed quickly.
On Thu, 09 Jun 2005 04:08:22 +0000, Kenny Tilton wrote:
> I was all stoked to run a web site on OS X cuz more than a few folks
> rave on it over Linux (mostly in re ease of maintenance), but the person
> I want to set this up for me says OS X bites as bad as win32 for
> security. whoa.
Whoa indeed. I've heard the same about Linux (years ago in Colorado, in
a comparison with SunOS).
First of all, what version and incarnation of OSX? Apple sells two
versions, one for the average desktop user and a dedicated server edition.
I wouldn't call myself an OSX expert since somehow I ended up running
Linux/PPC most of the time on my box but i never thought that OSX was esp.
insecure. IIRC the box came with a disabled root account and most services
with rather secur defaults. Anyway, most break-ins in into (web)servers
are caused by either bad/lazzy administrators and bugs in the application
code. The OS doesn't make much of a difference here. A lot of the recent
vulnerabilities hit libraries on all target platforms (zlib, jpeg, tiff
handling code etc.). One might even argue that the Mac, because of its
PowerPC is a more secure platform - smaller overall population. I think
some authorities would even go as far as to claim that an architecture
with (much) more registers is less prone to buffer overflows ...
feedback welcome.
>
> btw, I noticed on the Portable AllegroServe site that OpenMCL is
> supported, but also something about the strength of the port varying
> from platform to platform. So... where does OpenMCL rank?
Hard to tell, i lack the Inteloids to compare with :-/
Cheers, Ralf Mattes
> Thx.
From: Edi Weitz
Subject: Re: Linux or OS X for Portable AllegroServe?
Date:
Message-ID: <uhdg7zzg8.fsf@agharta.de>
On Thu, 09 Jun 2005 08:51:30 +0200, "R. Mattes" <··@mh-freiburg.de> wrote:
> One might even argue that the Mac, because of its PowerPC is a more
> secure platform - smaller overall population. I think some
> authorities would even go as far as to claim that an architecture
> with (much) more registers is less prone to buffer overflows ...
That must be the reason they're switching to Intel now. More
fun... :)
Cheers,
Edi.
--
Lisp is not dead, it just smells funny.
Real email: (replace (subseq ·········@agharta.de" 5) "edi")
From: Ulrich Hobelmann
Subject: Re: Linux or OS X for Portable AllegroServe?
Date:
Message-ID: <3gqf8fFdnbd0U1@individual.net>
Edi Weitz wrote:
> On Thu, 09 Jun 2005 08:51:30 +0200, "R. Mattes" <··@mh-freiburg.de> wrote:
>
>
>>One might even argue that the Mac, because of its PowerPC is a more
>>secure platform - smaller overall population. I think some
>>authorities would even go as far as to claim that an architecture
>>with (much) more registers is less prone to buffer overflows ...
>
>
> That must be the reason they're switching to Intel now. More
> fun... :)
More software developers, they didn't say what kind ;)
so virus writers rejoice...
--
Don't let school interfere with your education. -- Mark Twain
On Thu, 09 Jun 2005 10:50:15 +0200, Edi Weitz wrote:
> On Thu, 09 Jun 2005 08:51:30 +0200, "R. Mattes" <··@mh-freiburg.de> wrote:
>
>> One might even argue that the Mac, because of its PowerPC is a more
>> secure platform - smaller overall population. I think some
>> authorities would even go as far as to claim that an architecture
>> with (much) more registers is less prone to buffer overflows ...
>
> That must be the reason they're switching to Intel now. More
> fun... :)
;-) Yes, indeed. I was kind of amused when i read that less-registers-
more-danger stuff in their migration document ...
Cheers, RalfD
> Cheers,
> Edi.
From: Ulrich Hobelmann
Subject: Re: Linux or OS X for Portable AllegroServe?
Date:
Message-ID: <3gq8mqFdnui9U1@individual.net>
Kenny Tilton wrote:
> I was all stoked to run a web site on OS X cuz more than a few folks
> rave on it over Linux (mostly in re ease of maintenance), but the person
> I want to set this up for me says OS X bites as bad as win32 for
> security. whoa.
Hm, I think it's more or less like any Unix, maybe a little less
secure through all its user-friendly stuff, but if you run a
web-server, I'd do that as a normal user anyway (Portable Aserve
has the setuid option, so you can run it as root to grab port 80
and then switch to "user mode"), so the danger potential is very
limited.
> Any all feedback welcome.
>
> btw, I noticed on the Portable AllegroServe site that OpenMCL is
> supported, but also something about the strength of the port varying
> from platform to platform. So... where does OpenMCL rank?
I use OpenMCL right now and Portableaserve seems to run quite well
on it. Especially since AFAIK some other Lisps don't support
threading on the Mac.
--
Don't let school interfere with your education. -- Mark Twain