| Forum Home | ||||
| PC World Chat | ||||
| Thread ID: 84142 | 2007-10-25 18:53:00 | Windows vs. Linux vs. Mac Security | somebody (208) | PC World Chat |
| Post ID | Timestamp | Content | User | ||
| 605390 | 2007-10-28 07:55:00 | Perhaps i should have said "any installed system" :p There is also the difference between what a person can do who as access to a system and installer disks etc and what someone can or can't do with limited rights and remote access to a system - the first one would obviously be a lot more but also very unlikely in the scenario being discussed here. |
winmacguy (3367) | ||
| 605391 | 2007-10-28 08:00:00 | There is also the difference between what a person can do who as access to a system and installer disks etc and what someone can or can't do with limited rights and remote access to a system - the first one would obviously be a lot more but also very unlikely in the scenario being discussed here.Have you used ssh before? You can do almost anything you could do locally from the other side of the planet if you want to. Access to installer disks makes no difference at all to what an attacker can do to your system! |
Erayd (23) | ||
| 605392 | 2007-10-28 10:29:00 | In a nutshell, PCtek is right, PEBCAK... Lets be honest, most people out there arent bright enough to open a suspicious picture / executable in a sandboxed environment, and they'll happily punch in the root pwd when prompted. Its the punching in of the pwd that should hopefully give them a little extra time to think... or ideally theres the one admin in the household and the rest of the users are just that, users. Bletch is right, can absolutely decimate a box in a matter of seconds when root user, its not hard at all. SeLinux or the likes is about the only thing that'd actually stop that, but how likely is SeLinux on a home users PC...? ;) |
Chilling_Silence (9) | ||
| 605393 | 2007-10-28 11:46:00 | Bletch is right, can absolutely decimate a box in a matter of seconds when root user, its not hard at all. SeLinux or the likes is about the only thing that'd actually stop that, but how likely is SeLinux on a home users PC...? ;) I suspect MacOSX uses BSD chflags. This stops even root from modifying or deleting some files. However, files that need to be modified on a regular basis cannot be protected with chflags... Also, you cannot log in as root remotely to a OSX box. You need to log in as a regular user who has a wheel account. |
vinref (6194) | ||
| 605394 | 2007-10-28 11:53:00 | If it is running as root, it can quite happily hose the entire OS, rootkit the system, or do pretty much anything else it likes. How is that not as much damage? Linux/Unix is extremely secure if used in the correct manner. Once something is running as root there's no stopping it (unless you're using SELinux or similar). I may be mistaken on this one, but OSX does not have a compiler - do you know winmacguy? It may not be possible to modify the kernel in situ. You cannot replace the existing kernel with a binary unless you boot into something similar to single-user mode. Also OSX uses a lot of TrustedBSD and OpenBSD security mechanisms. These are similar to SELinux. |
vinref (6194) | ||
| 605395 | 2007-10-28 12:05:00 | If you think otherwise, I dare you to give me root access to your Leopard box. I'm willing to bet that I can completely hose it inside two minutes. You don't need a pasword, and it takes less than 30 seconds. Just pick up the machine and throw it out the window. |
vinref (6194) | ||
| 605396 | 2007-10-28 12:09:00 | I suspect MacOSX uses BSD chflags. This stops even root from modifying or deleting some files. However, files that need to be modified on a regular basis cannot be protected with chflags...And guess which user can re-enable full access to these files? Yep, you guessed it :p. Also, you cannot log in as root remotely to a OSX box. You need to log in as a regular user who has a wheel account.By default, this is correct. Wheel user, then sudo to root. However it's certainly possibly to set up root access via ssh - I have done this before. I may be mistaken on this one, but OSX does not have a compiler - do you know winmacguy?OSX will run gcc quite nicely. And you don't need a compiler to mess with the kernel anyway. It may not be possible to modify the kernel in situ.This may or may not be the case - I've never tried it - but I strongly suspect it is possible. You cannot replace the existing kernel with a binary unless you boot into something similar to single-user mode.Now that's not true - if you have root access, you can quite happily overwrite the kernel with anything you like. Also OSX uses a lot of TrustedBSD and OpenBSD security mechanisms. These are similar to SELinux.Yup, OSX does a pretty goot job of protecting users from themselves, but it's far from perfect. And root can disable these restrictions anyway. You don't need a pasword, and it takes less than 30 seconds. Just pick up the machine and throw it out the window.Hahahaha :thumbs: [Edit: It should be noted that all these issues also apply to Linux systems. And don't even get me started on Windows systems...] |
Erayd (23) | ||
| 605397 | 2007-10-28 12:16:00 | Not so sure about that for OSX. Hey winmacguy, did the update to Leopard all take place is normal multi-user mode? How many reboots? |
vinref (6194) | ||
| 605398 | 2007-10-28 12:17:00 | BSD chflags require booting into single-user mode to change. So this is impossible to do remotely. [Edit] Just saw your edit. All my comments referred to what I vaguely understand about OSX and remote exploits, which have many differences with Linux, but are mostly derived from BSD and some Linux systems. Local exploits are nothing to worry about when your machine can be tossed out the window so easily... |
vinref (6194) | ||
| 605399 | 2007-10-28 12:48:00 | BSD chflags require booting into single-user mode to change. So this is impossible to do remotely.And it's entirely possibly to set the ssh server to run in single-user mode. And to set the next reboot to automatically be single-user. Do you see where I'm heading with this? You can also mess with the disk directly rather than at the filesystem level, I'm pretty sure chflags won't stop that - although I won't swear to it. [Edit] Just saw your edit. All my comments referred to what I vaguely understand about OSX and remote exploits, which have many differences with Linux, but are mostly derived from BSD and some Linux systems.Yup. There are a lot of differences, but the overall system design is very similar - so they share many of the same exploit techniques. Local exploits are nothing to worry about when your machine can be tossed out the window so easily...I always thought that throwing it out of the window *was* a local exploit... |
Erayd (23) | ||
| 1 2 3 4 5 6 7 8 | |||||