{"id":103,"date":"2012-01-15T18:01:46","date_gmt":"2012-01-15T18:01:46","guid":{"rendered":"https:\/\/trouble.org\/wp\/?p=103"},"modified":"2015-07-22T09:33:30","modified_gmt":"2015-07-22T09:33:30","slug":"looking-for-a-good-man1","status":"publish","type":"post","link":"https:\/\/trouble.org\/?p=103","title":{"rendered":"looking for a good man(1)"},"content":{"rendered":"<p>I like documentation. \u00a0 Programs should have it. \u00a0But on the heels of the<a title=\"walk like a \/usr\/bin\/man\" href=\"https:\/\/trouble.org\/?p=85\" target=\"_blank\"> man path thing<\/a>\u00a0I did some more looking on my\u00a0\u00a0Snow Leopard System.<\/p>\n<p>Finding all the SUID files outside the traditional \/sbin areas shows a few more (e.g. &#8220;find -x \/ -type f -perm -04000 -ls&#8221;.) \u00a0 Looks like 15 files, 8 of them by 3rd party vendors (good to know lazy coders are still out there):<\/p>\n<div class=\"codecolorer-container text blackboard\" style=\"overflow:auto;white-space:nowrap;\"><div class=\"text codecolorer\">\/Applications\/Utilities\/Keychain Access.app\/Contents\/Resources\/kcproxy<br \/>\n\/Library\/Application Support\/Logitech.localized\/Logitech Control Center.localized\/LCCDaemon.app\/Contents\/Resources\/SetPriority<br \/>\n\/Library\/Application Support\/StreamWatcher\/StreamCaptureTool<br \/>\n\/Library\/Application Support\/VMware Fusion\/VMDKMounter.app\/Contents\/MacOS\/vmware-vmdkMounterTool<br \/>\n\/Library\/Application Support\/VMware Fusion\/vmware-authd<br \/>\n\/Library\/Application Support\/VMware Fusion\/vmware-rawdiskCreator<br \/>\n\/Library\/Application Support\/VMware Fusion\/vmware-usbArbitratorTool<br \/>\n\/Library\/Application Support\/VMware Fusion\/vmware-vmx<br \/>\n\/Library\/Application Support\/VMware Fusion\/vmware-vmx-debug<br \/>\n\/System\/Library\/CoreServices\/RemoteManagement\/ARDAgent.app\/Contents\/MacOS\/ARDAgent<br \/>\n\/System\/Library\/Printers\/IOMs\/LPRIOM.plugin\/Contents\/MacOS\/LPRIOMHelper<br \/>\n\/System\/Library\/PrivateFrameworks\/Admin.framework\/Versions\/A\/Resources\/readconfig<br \/>\n\/System\/Library\/PrivateFrameworks\/Admin.framework\/Versions\/A\/Resources\/writeconfig<br \/>\n\/System\/Library\/PrivateFrameworks\/DesktopServicesPriv.framework\/Versions\/A\/Resources\/Locum<br \/>\n\/System\/Library\/PrivateFrameworks\/Install.framework\/Versions\/A\/Resources\/runner<\/div><\/div>\n<p>No man pages here either&#8230; but thanks to the\u00a0<a title=\"Makers o' Streamwatcher\" href=\"http:\/\/www.eloquentsw.com\/streamwatcher.html\" target=\"_blank\">streamwatcher<\/a>\u00a0programmers who put a SUID binary when I installed the test version.<\/p>\n<p>VMware was kind enough to put a 33MB and a 41MB SUID on my system, I&#8217;m sure they have no security issues. \u00a0Do they honestly think you can make 40 megs of SUID executable safe? \u00a0 ARDAgent, another 1.8MB SUID&#8230; searching&#8230; great, tons of holes found in that already, some people never learn. \u00a0Bah<span style=\"font-family: mceinline;\">, time to strip off the SUID bit.<\/span><\/p>\n<p>Let&#8217;s see&#8230; &#8220;find \/System -type f -perm -00100 -ls |wc&#8221; gives&#8230; 3594 executables. \u00a0Probably not all of them, so run file(1) on them all, and:<\/p>\n<blockquote><p>1649 Mach-O universal binary with 3 architectures<br \/>\n876 Mach-O universal binary with 2 architectures<br \/>\n&#8230;. and a whole lot more&#8230; perl, python, other scripts, conf files&#8230;.<\/p><\/blockquote>\n<p>Surely they have documentation? \u00a0Find reveals&#8230; 104 man page lookin&#8217; things in \/System and \/Library, almost all for python, ruby, TK stuff. \u00a0And when apple puts in 5 different executables called QuartzComposer&#8230; what are you supposed to think when you see it running?<\/p>\n<div class=\"codecolorer-container text blackboard\" style=\"overflow:auto;white-space:nowrap;\"><div class=\"text codecolorer\">-rwxr-xr-x 1 root wheel 10182784 Apr 29 2011 \/System\/Library\/Frameworks\/Quartz.framework\/Versions\/A\/Frameworks\/QuartzComposer.framework\/Versions\/A\/QuartzComposer<br \/>\n-rwxr-xr-x 1 root wheel 95424 May 19 2009 \/System\/Library\/Frameworks\/Quartz.framework\/Versions\/A\/Frameworks\/QuartzComposer.framework\/Versions\/A\/Resources\/QuartzComposer.ibplugin\/Contents\/MacOS\/QuartzComposer<br \/>\n-rwxr-xr-x 1 root wheel 54704 Sep 15 2010 \/System\/Library\/Frameworks\/QuickLook.framework\/Versions\/A\/Resources\/Generators\/QuartzComposer.qlgenerator\/Contents\/MacOS\/QuartzComposer<br \/>\n-rwxr-xr-x 1 root wheel 132848 Jun 25 2010 \/System\/Library\/QuickTime\/QuartzComposer.component\/Contents\/MacOS\/QuartzComposer<br \/>\n-rwxr-xr-x 1 root wheel 48912 May 18 2009 \/System\/Library\/Spotlight\/QuartzComposer.mdimporter\/Contents\/MacOS\/QuartzComposer<\/div><\/div>\n<p>Some of these are documented pretty well in other ways (Automator and some other apps), but there are many more than have zero&#8230; picking a random one in \u00a0\/System\/Library\/CoreServices\/, I see\u00a0SystemUIServer.app has a program called\u00a0uiscriptrunner that it presumably runs&#8230; what does that do? \u00a0No documentation, no mention of it at all on apple.com via google or their search engine.<\/p>\n<p>&nbsp;<\/p>\n<p>A big, black box.<\/p>\n<p>&nbsp;<\/p>\n<p>Get off my lawn, all of you.<\/p>\n<p>&nbsp;<\/p>\n<p><a href=\"https:\/\/trouble.org\/uploads\/2012\/01\/dog-pictures-gift-lawn.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-117 size-full\" title=\"dog-pictures-gift-lawn\" src=\"https:\/\/trouble.org\/uploads\/2012\/01\/dog-pictures-gift-lawn.jpg\" alt=\"\" width=\"500\" height=\"482\" srcset=\"https:\/\/trouble.org\/wp-content\/uploads\/2012\/01\/dog-pictures-gift-lawn.jpg 500w, https:\/\/trouble.org\/wp-content\/uploads\/2012\/01\/dog-pictures-gift-lawn-300x289.jpg 300w\" sizes=\"auto, (max-width: 500px) 100vw, 500px\" \/><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>I like documentation. \u00a0 Programs should have it. \u00a0But on the heels of the man path thing\u00a0I did some more looking on my\u00a0\u00a0Snow Leopard System. Finding all the SUID files outside the traditional \/sbin areas shows a few more (e.g. &#8220;find -x \/ -type f -perm -04000 -ls&#8221;.) \u00a0 Looks like 15 files, 8 of [&hellip;]<\/p>\n","protected":false},"author":44,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[33,32,4,6],"tags":[41,40,39],"class_list":["post-103","post","type-post","status-publish","format-standard","hentry","category-dinosaur","category-mac","category-security","category-tech","tag-40megs-of-suid-and-counting","tag-damn-docs","tag-getting-old"],"_links":{"self":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/103","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/users\/44"}],"replies":[{"embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=103"}],"version-history":[{"count":19,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/103\/revisions"}],"predecessor-version":[{"id":1144,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/103\/revisions\/1144"}],"wp:attachment":[{"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=103"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=103"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=103"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}