Insufficient privileges?

Fri Apr 29 10:24:07 PDT 2011

On 29 Apr 2011, at 17:09, John B Brown wrote:

> 	The key being 'what Apple list[s]', but not the code.

Actually, that list is from the source, which you can find at

http://opensource.apple.com/source/sudo/sudo-46/

> 	Do you have a URL for Apple's 'open source?' I don't so, please, send me a copy of that URL. Apple updates do not come from MacPorts sites. I already have copies of sudo source from MacPorts. A straight compile of MacPorts source gives me a 'bent' sudo executable. At 78, I don't have time for proprietary source search games; hiking the mountains is so much more satisfying.

See above. There's no need to for scare quotes around the words open source in this case, and you'll have a lot more time to hike mountains if you find and review the source as opposed to getting into minor surgery because of speculations about changes made by Apple. If you want an easy way to fetch the code for a given OS X release and view it locally, see

http://darwinbuild.macosforge.org/

This tool is also available via Macports IIRC.

> Bayard Bell wrote:

>> If you think you can keep all your windows open on your ground-floor home because you've got three locks on the front door and a three-foot tall fence around your garden, that is absolutely your decision, but it's not unreasonable on a list like this to point out that it makes for considerable security risks that others may not wish to accept.
> 
> 	EMFs are NOT doors or windows or fences.

I've explained the reasonable use case for something like NOPASSWD, and you've not come back with something resembling "science." Nevertheless, I'm happy to explain why the analogy is apt.

Firewalls allow some enforcement of protocol access policies, and their ability to deliver even that much varies considerably from completely effective given the prevalence of protocol and object tunnelling, which are facets of a general problem of not keeping up with application-level content inspection because of the difficulty of maintaining throughput and minimising latency. As stack overflows against IP stacks and server code have become less prevalent, attackers have shifted extensively toward client-side exploitation and attacks on web applications, moving much of the defensive efforts towards various forms of sandboxing so that attacks against browsers in particular can be contained. Nevertheless, it was three years on the trot that Charlie Miller managed to break into a fully patched OS X system via Safari, where at least two years of that involved using the same script to identify exploits (he didn't get to break OS X through Safari this year because a Dutch team got to go first and succeeded, so he had to settle for breaking iOS).

Despite progress (and some promising signs about Lion), OS X has remained behind on client-side defence because of partial implementation of memory protection measures, so I don't rest easy because of the number of firewalls between my Mac and the Internet because they're a security measure that's on a different plane than most attack vectors, which are furthermore designed to traverse most firewalls.

Cheers,
Bayard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/macports-users/attachments/20110429/db0a2deb/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1515 bytes
Desc: not available
URL: <http://lists.macosforge.org/pipermail/macports-users/attachments/20110429/db0a2deb/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 841 bytes
Desc: This is a digitally signed message part
URL: <http://lists.macosforge.org/pipermail/macports-users/attachments/20110429/db0a2deb/attachment-0001.bin>