[OS X TeX] OT: authorizations in Leopard

Sun Nov 11 16:04:56 CET 2007

Le 11 nov. 07 à 15:17, Bruno Voisin a écrit :

> Le 11 nov. 07 à 13:31, Jean-Claude DE SOZA a écrit :
>
>> Le 9 nov. 07 à 18:53, Bruno Voisin a écrit :
>>
>>> Hence I tried:
>>>
>>> sudo chmod -a# 0 /Applications
>>> sudo chmod -a# 0 /Library
>>>
>>> It suppresses indeed the warning in Disk Utility, but it does not  
>>> seem to affect the authorizations problems I'm experiencing.
>>
>> It is not a good idea to change any permission in Mac OS X by his  
>> own.
>> Don't try to remove the ACL as some persons did in the first days  
>> of Leopard; it resulted a mess in the system.
>>
>> You only have to do two things. First apply the update for Remote  
>> Desktop and Keychain applications
>
> I guess these are two separate updates, one for Remote Desktop and  
> the other for Keychain, right? If that it indeed the case, both had  
> been applied already. From Software Update.log:
>
> 2007-10-26 23:42:19 +0200: Installed "Remote Desktop Client" (3.2.1)
> 2007-10-26 23:42:29 +0200: Installed "Backup" (3.1.2)
> 2007-10-28 02:33:03 +0200: Installed "Mise à jour du trousseau et de  
> l’ouverture de session" (1.0)
> 2007-11-06 09:09:04 +0100: Installed "QuickTime" (7.3)
> 2007-11-06 09:09:58 +0100: Installed "iTunes" (7.5)
>
>> and then start with the Leopard Install Disk as if you want to  
>> reinitialize your password. But in the window where you are allowed  
>> to, don't change anything except at the bottom: click on the reset  
>> button to restaure the ACL to default.
>
> Just did that. If I understood correctly, there is a pull-down menu  
> allowing to select a user account, and then the button you mention  
> to reset all ACLs for this user.
>
> In my case there were three users in the menu (me and my GF -- the  
> two account owners on my MacBook -- and System Administrator aka  
> root -- though I did not activate the root account in NetInfo  
> Manager in Tiger at any stage). I rebuilt the ACLs for all 3 in  
> sequence.
>
>> To finish your job, restart and run Disk Utility and the Repair  
>> Permissions and if you see a statement about the SUID of /System/ 
>> Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ 
>> ARDAgent which is changed and will not be repaired, you are done.
>
> When I do that now, not only I do get the message you mention (it  
> was there already before), but also I do get messages about found  
> and unexpected ACLS in /private/var/root/Library/Preferences and / 
> private/var/root/Library. Sounds scary! I hope I did not mess  
> anything up by asking to restore default ACLs for root.
>
> From DiskUtility.log:
>
> 2007-11-11 14:55:33 +0100: Verify permissions for “Macintosh HD”
> 2007-11-11 15:01:18 +0100: ACL found but not expected on "private/ 
> var/root/Library/Preferences".
> 2007-11-11 15:01:18 +0100: ACL found but not expected on "private/ 
> var/root/Library".
> 2007-11-11 15:01:18 +0100: Warning: SUID file "System/Library/ 
> CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent"  
> has been modified and will not be repaired.
> 2007-11-11 15:02:24 +0100:
> 2007-11-11 15:02:24 +0100: Permissions verification complete
>
> Thanks for your help,

The most important thing is the warning:
SUID file "System/Library/CoreServices/RemoteManagement/ARDAgent.app/ 
Contents/MacOS/ARDAgent" has been modified and will not be repaired.
The ACL were yet in Tiger but are deactivated by default. They had a  
vulnerability used in some exploits during the Month of Apple Bugs.

Jean-Claude DE SOZA