<vuln-dev () lists securityfocus com>:
ezmlm-reject: fatal: Sorry, I don't accept messages of MIME
Content-Type 'multipart/alternative' (#5.2.3)
--- Below this line is a copy of the message.
Attached is some questions I had on file system permissions.
--Apple-Mail-1355773572-2
Content-Disposition: attachment;
filename="permissions.txt"
Content-Type: text/plain;
name="permissions.txt";
x-unix-mode=0644
Content-Transfer-Encoding: quoted-printable
I am confused as to how permissions are set on symbolic links and normal
files created by the average joe schmoe user with standard privs on
OSX.=20=
My exact version info is ... Darwin Kernel Version 1.3.7: Sat=20
Jun 9 11:12:48 PDT 2001; root:xnu/xnu-124.13.obj~1/RELEASE_PPC=20
on OSX 10.0.4 Build 4Q12. Let me walk you through my confusion.=20
Clicked System Prefs then went to users and filled out the form to
make =
a user.
I made sure I did not check the box to allow this user to admin the box
Telnet in and login as joeschmoe
[osxinsightrrcom:/tmp] root# telnet localhost
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Darwin/BSD (osxinsightrrcom) (ttyp3)
login: joeschmoe
Password:
Welcome to Darwin!
[osxinsightrrcom:~] joeschmo% id
uid=3D504(joeschmo) gid=3D20(staff) groups=3D20(staff)
Looks like the only groups I am in are staff.=20
[osxinsightrrcom:~] joeschmo% pwd
/Users/joeschmo
[osxinsightrrcom:~] joeschmo% touch file=20
[osxinsightrrcom:~] joeschmo% ls -al file
-rw-r--r-- 1 joeschmo staff 0 Sep 30 19:53 file
all looks fine here uid=3Djoeschmoe gid=3Dstaff
Move to /tmp and do the same thing.=20
This is the first thing I find odd is the file is now=20
uid=3Djoeschmoe and gid=3Dwheel instead of gid=3Dstaff.=20
[osxinsightrrcom:~] joeschmo% cd /tmp
[osxinsightrrcom:/tmp] joeschmo% touch file=20
[osxinsightrrcom:/tmp] joeschmo% ls -al file
-rw-r--r-- 1 joeschmo wheel 0 Sep 30 20:05 file
Now lets try an ln because its even weirder. Now perms are=20
uid=3Droot gid=3Dwheel which makes no sense to me.=20
( I was attempting to exploit man so don't mind the file names)=20
[osxinsightrrcom:/tmp] joeschmo% ln -s /etc/issue man.000112
[osxinsightrrcom:/tmp] joeschmo% ls -al man.000112
lrwxrwxrwt 1 root wheel 10 Sep 30 20:07 man.000112 -> /etc/issue
Same command in my home dir. Whats the deal here? Why is it=20
uid=3Djoeschmoe and gid=3Dstaff here but not in /tmp
[osxinsightrrcom:~] joeschmo% ln -s /etc/issue man.000112
[osxinsightrrcom:~] joeschmo% ls -al man.*
lrwxr-xr-x 1 joeschmo staff 10 Sep 30 20:10 man.000112 -> /etc/issue
/tmp is a Symbolic link to /private so lets see what it looks like
[osxinsightrrcom:/private/cores] joeschmo% ls -al /tmp
lrwxrwxr-t 1 root admin 11 Sep 30 19:12 /tmp -> private/tmp
[osxinsightrrcom:/private/cores] joeschmo% ls -al /private/
total 0
drwxr-xr-x 7 root wheel 194 Sep 30 13:31 .
drwxrwxr-t 26 root admin 840 Sep 30 19:12 ..
drwxr-xr-x 3 root wheel 264 Apr 27 08:30 Drivers
drwxrwxrwt 3 root wheel 58 Sep 30 20:12 cores
drwxr-xr-x 59 root wheel 1962 Sep 29 16:51 etc
drwxrwxrwt 7 root wheel 194 Sep 30 20:07 tmp
drwxr-xr-x 17 root wheel 534 Sep 30 13:31 var
cores and tmp seem to have the same perms so the same issue applys
there =
also
[osxinsightrrcom:/private/cores] joeschmo% ln -s /etc/issue man.000112
[osxinsightrrcom:/private/cores] joeschmo% ls -al man.*
lrwxrwxrwt 1 root wheel 10 Sep 30 20:12 man.000112 -> /etc/issue
Can anyone tell me whats going on here?=20
-KF
--Apple-Mail-1355773572-2--
--Apple-Mail-763401367-1--
Intro
