Picture of Jürgen Kreileder

Posts Tagged ‘world-writable’

OS X Applications Insecurely Installing World-Writable Files

Files, directories, and devices that are writable by any user (“world-writable”) on a multi-user system can be dangerous locally exploitable security holes. There are very few legitimate reasons for having world-writable files and directories on a system.

Many UNIX and Linux systems actually have cron jobs that check for world-writable files. On Apple’s OS X there is no such safeguard and many vendors do not seem to care about file permissions much at all. Several well-known applications are either installed with world-writable files or create them when used:

World-writable files in system directories

The following applications install world-writable files in shared directories (/Applications, /Library, …):

  • Adobe CS 4, CS 5: Some uninstallers + several files and directories in /Library/Application Support + various stuff in other locations
  • Adobe Media Player: directory + some files in Contents/Resources
  • Adobe Flash Player: directories (including AddIns und AddIns/airappinstaller)
  • Amazon MP3 Downloader: some directories
  • EPSON (Scan, TWAIN data source, Easy Photo Print, …): pretty much everything, including executables
  • Eye-One Match 3: complete app, including executable
  • eMusic Download Manager: complete app, including executable and JavaScript (the application is based on Mozilla)
  • Telltale games: complete apps including executable and libraries
  • Apple OS X: some plist and cache files, including at least one LaunchDaemon plist file
  • Google+Growl Utility (not a Google product): whole app including executable
  • HP Scan Pro (plus supporting files): everything including executables
  • DivX Converter: resource files
  • Apple Remote Desktop: some plist files
  • Apple GarageBand: several plist and data files
  • Apple ColorSync: some profiles
  • Microsoft Office 2011: directory in /Library Application Support
  • Elgato EyeTV: several plist files
  • ABBYY FineReader Sprint 8.0: several data files
  • ArcSoft (Connect Suite, MediaImpression 2): all files, including executables
  • Extensis Suitcase Fusion 2: all files, including executables

World-writable files in user directories

The following applications install world-writable files in user directories (/Users/$USER):

  • GoogleGrowl.plugin: whole plugin including executable
  • 3rd-party extensions for Apple Safari: some extensions (e.g. AdBlock) install world-writable files
  • Apple iPhoto: the whole library seems to be world-writable
  • Adium add-ons: several add-ons install world-writable files
  • eMusic Download Manager:some preferences files are world-writable
  • Adobe (CS 4, CS5, Flash, …): several preferences files
  • Apple MobileDevice: crash logs are world-writable

The lists have been compiled by inspecting my own systems and those of several friends by running

sudo sh -c \
  "find / -xdev -perm +o=w ! \( -type d -perm +o=t \) ! -type l -print0 | \
   xargs -0 ls -dl 2>&1 | \
   tee world-writable-files.txt"

and analyzing the output.

Note that running Disk Utility‘s “Repair Disk Permissions” does not have any influence on the issues described here.

Most OS X installations are probably single-user systems in reality but the situation is still somewhat ugly.