Re: Helper Tool on FireWire

FROM : wadeslists
DATE : Sun Jun 25 13:45:01 2006

>> > Why does your tool need to run from the boot partition?
>>
>> It does not. But it needs to run setuid root, and this seems not to
>> work on FireWire-non-boot-partitions.

>
> Of course. Otherwise, I could take a FireWire drive, hook it up to my
> Mac, put a tool on it, make it setuid root, then connect my drive to
> your Mac and boom! Instance root access.


To clarify, removable volumes are mounted with "Ignore ownership on 
this volume" ticked by default (in the Get Info window).  This means 
the actual user & group owners are ignored, both for reading and 
writing.  MacOS X sees to it that it appears that the user whom 
mounted them (the console user, I presume) owns them, and changes to 
the owner user or group are ignored.

You can certainly turn this check box off.  But, obviously, you take 
your security into your own hands when you do so.  You need admin 
privileges to turn it off though (standard authentication dialog), so 
at least there's some protection against unwary users.

The status of this check box is preserved across mount sessions of 
the given volume, although whether it's stored locally or on the 
volume I don't know.  I would really hope not the latter, for 
security reasons, but from what I've quickly Googled I do in fact get 
the impression this is the case.  Anyone else got two machines handy 
to test with?

P.S. You can't ignore ownership on the boot volume, obviously, so 
booting from a removable drive will always run the associated risks. 
I don't know if booting from removable volumes can be disabled.

Wade Tregaskis

    ICQ: 40056898
    AIM, Yahoo & Skype: wadetregaskis
    MSN: <email_removed>
    iChat & email: <email_removed>
    Jabber: <email_removed>
    Google Talk: <email_removed>

    http://homepage.mac.com/wadetregaskis/

-- Sed quis custodiet ipsos custodes?