Jump to content

Builds 9a423 and 9a430 mentioned on MacOSForge


3 posts in this topic

Recommended Posts

Sad !!! I hope they will correct this before Leopard is launched.


As a system engineer i've switched to launchd for most of our servers. In this process I've found out that when not configuring launchd the right way this could lead to a major securtity flaw. I know, you should then configure launchd the right way but still. I found that this bug is to big to leave it not reported.


For example... When you have a launchd script that fires of a normal application and you put this script in /Library/LaunchDaemons/. Also i have automatic login disabled. During startup it will open this application without loging in. The login window is still visible but the application launches. Then you could easily open system preferences by clicking on the blue apple icon in the top left corner. With System Preferences open you could easily change the root password and log in.


I know you should configure it the right way by putting this in LaunchAgents. But still, wouldn't it be beter that this would not be possible when you haven't logged in?

Link to comment
Share on other sites


  • Create New...