10.6.1 & Repair Permissions

On 2009-09-14, Wes Groleau <groleau+> wrote:
> Ian Gregory wrote:
>> The only problem with "repair permissions" is that it is so widely
>> misunderstood.
>
> It's certainly misunderstood if you think it is similar
> to unix-privesc-check

Of course "check permissions" it is similar to unix-privesc-check in
that they both check permissions. I am well aware of the ways in which
they differ but your garbled description of how "check permissions"
works clearly indicates that it is you, not me who belongs to the massed
ranks of those who misunderstand it.

This started out with someone bemoaning the fact that "repair
permissions" exists on Mac OS X but not FreeBSD. I just pointed out that
all Unix sysadmins need to be aware of permissions issues and be
prepared to check them if necessary. On FreeBSD you might do it manually
using find(1) or by running some third party scripts. I gave
unix-privesc-check as one example of such a script but there are plenty
of others, for example scripts which make a record of all file
permissions that can be used later to see if permissions have changed.

I don't get why people are criticising Apple for having included some
permissions checking functionality in Disk Utility. It doesn't do
everything but it is better than nothing and you don't have to use it if
you don't want to.

Ian

--
Ian Gregory
http://www.zenatode.org.uk/ian/

In article <>,
Ian Gregory <> wrote:

> On 2009-09-14, Wes Groleau <groleau+> wrote:
> > Ian Gregory wrote:
> >> The only problem with "repair permissions" is that it is so widely
> >> misunderstood.
> >
> > It's certainly misunderstood if you think it is similar
> > to unix-privesc-check
>
> Of course "check permissions" it is similar to unix-privesc-check in
> that they both check permissions. I am well aware of the ways in which
> they differ but your garbled description of how "check permissions"
> works clearly indicates that it is you, not me who belongs to the massed
> ranks of those who misunderstand it.
>
> This started out with someone bemoaning the fact that "repair
> permissions" exists on Mac OS X but not FreeBSD. I just pointed out that
> all Unix sysadmins need to be aware of permissions issues and be
> prepared to check them if necessary. On FreeBSD you might do it manually
> using find(1) or by running some third party scripts. I gave
> unix-privesc-check as one example of such a script but there are plenty
> of others, for example scripts which make a record of all file
> permissions that can be used later to see if permissions have changed.
>
> I don't get why people are criticising Apple for having included some
> permissions checking functionality in Disk Utility. It doesn't do
> everything but it is better than nothing and you don't have to use it if
> you don't want to.

I think most of the criticism is directed at people who espouse the
notion that repairing permissions is a routine maintenance task in OS X.

Apple's only mistake was to name a useful feature in a way that caused
some people to misunderstand what it was for.

--
"The game of professional investment is intolerably boring and over-exacting to
anyone who is entirely exempt from the gambling instinct; whilst he who has it
must pay to this propensity the appropriate toll." -- John Maynard Keynes

Ian Gregory wrote:
> they differ but your garbled description of how "check permissions"
> works clearly indicates that it is you, not me who belongs to the massed
> ranks of those who misunderstand it.

Check/repair permissions works as if the permissions in the BOM
are the "standard" list I mentioned. Even if that list were
universally accepted, it's still a far cry from a script in which
someone, be they right or wrong, put some thought into checking
specific things known to be potential vulnerabilities.

Several posts show that I am not the only person who doesn't
fully accept Apple's "standard" permissions lists.

--
Wes Groleau

First Language Acquisition observed up—close & personal
http://Ideas.Lang-Learn.us/barrett?itemid=1349

On 2009-09-15, Wes Groleau <groleau+> wrote:

> Several posts show that I am not the only person who doesn't
> fully accept Apple's "standard" permissions lists.

But that is a separate issue. The "repair permissions" feature simply
restores the original permissions - if that is not what you want then
don't run it. From page 39 of Apple's own Leopard security configuration
guide:

> Note: If you've modified permissions for files in accordance with
> organizational policies, repairing disk permissions can reset the
> modified permissions to those stated in the Bill of Materials file.
> After repairing permissions, reapply the file permission modifications
> to adhere to your organizational policies.

If you understand "repair permissions" then there is no problem. Run it
if you want to restore permissions to what the installer originally set
them to be and don't run it if you don't. If you just want to see which
permissions have changed since installation then you might want to run
"check permissions" instead. Some of the changes might be ones you
deliberately made yourself but you might also find some that have
inexplicably changed and which may be cause for concern. What you do
next is up to you.

Ian

--
Ian Gregory
http://www.zenatode.org.uk/ian/

So you buy a new Lexus and while you are on the test drive, there is this disturbing banging under the hood. The salesmen says "just ignore it". bangity bangity bangity ...

The error message is there for a reason; either it is reporting an error or it is an error itself. Either way, it's a bug.