Security Scripts For Os X

Feb 17, 2010 Advanced Users: Startup & Login items, apps, and scripts in Mac OS X. This part of the article isn’t for most users! If you’re an advanced user or a systems administrator, that aforementioned preference pane is rarely the end of your hunt to track down startup and login items in Mac OS X. Scripting OS X: Install shellcheck binary on macOS; Conclusion. In Catalina Apple started warning us about the eventual demise of bash from macOS. Converting your existing bash scripts and workflows to zsh, sh, or bash v5 is an important first step. Sep 25, 2014 Security flaw in OS X ‘Bash’ command shell found, can be used for attacks on devices and services Posted by Evan Selleck on Sep 25, 2014 in OS X, Security Eventually — inevitably — a new security flaw will be found. Nov 27, 2018 Any operating system can be the starting point of the pipeline. We only need to reference a different edition of the CIS Benchmarks and adapt our scripts to work with said OS (various flavors of.

This document describes the security content of OS X Lion v10.7.2 and Security Update 2011-006, which can be downloaded and installed via Software Update preferences, or from Apple Downloads.

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

For information about the Apple Product Security PGP Key, see 'How to use the Apple Product Security PGP Key.'

Where possible, CVE IDs are used to reference the vulnerabilities for further information.

To learn about other Security Updates, see 'Apple Security Updates'.

OS X Lion v10.7.2 and Security Update 2011-006

Apache
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1
Impact: Multiple vulnerabilities in Apache
Description: Apache is updated to version 2.2.20 to address several vulnerabilities, the most serious of which may lead to a denial of service. CVE-2011-0419 does not affect OS X Lion systems. Further information is available via the Apache web site at http://httpd.apache.org/
CVE-ID
CVE-2011-0419
CVE-2011-3192

Application Firewall
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1
Impact: Executing a binary with a maliciously crafted name may lead to arbitrary code execution with elevated privileges
Description: A format string vulnerability existed in Application Firewall's debug logging.
CVE-ID
CVE-2011-0185 : an anonymous reporter

ATS
Available for: OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1
Impact: Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution
Description: A signedness issue existed in ATS' handling of Type 1 fonts. This issue does not affect systems prior to OS X Lion.
CVE-ID
CVE-2011-3437

ATS
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution
Description: An out of bounds memory access issue existed in ATS' handling of Type 1 fonts. This issue does not affect OS X Lion systems.
CVE-ID
CVE-2011-0229 : Will Dormann of the CERT/CC

ATS
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1
Impact: Applications which use the ATSFontDeactivate API may be vulnerable to an unexpected application termination or arbitrary code execution
Description: A buffer overflow issue existed in the ATSFontDeactivate API.
CVE-ID
CVE-2011-0230 : Steven Michaud of Mozilla

BIND
Available for: OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1
Impact: Multiple vulnerabilities in BIND 9.7.3
Description: Multiple denial of service issues existed in BIND 9.7.3. These issues are addressed by updating BIND to version 9.7.3-P3.
CVE-ID
CVE-2011-1910
CVE-2011-2464

BIND
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Multiple vulnerabilities in BIND
Description: Multiple denial of service issues existed in BIND. These issues are addressed by updating BIND to version 9.6-ESV-R4-P3.
CVE-ID
CVE-2009-4022
CVE-2010-0097
CVE-2010-3613
CVE-2010-3614
CVE-2011-1910
CVE-2011-2464

Certificate Trust Policy
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1.
Impact: Root certificates have been updated
Description: Several trusted certificates were added to the list of system roots. Several existing certificates were updated to their most recent version. The complete list of recognized system roots may be viewed via the Keychain Access application.

CFNetwork
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Safari may store cookies it is not configured to accept
Description: A synchronization issue existed in CFNetwork's handling of cookie policies. Safari's cookie preferences may not be honored, allowing websites to set cookies that would be blocked were the preference enforced. This update addresses the issue through improved handling of cookie storage.
CVE-ID
CVE-2011-0231 : Martin Tessarek, Steve Riggins of Geeks R Us, Justin C. Walker, and Stephen Creswell

CFNetwork
Available for: OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1
Impact: Visiting a maliciously crafted website may lead to the disclosure of sensitive information
Description: An issue existed in CFNetwork's handling of HTTP cookies. When accessing a maliciously crafted HTTP or HTTPS URL, CFNetwork could incorrectly send the cookies for a domain to a server outside that domain. This issue does not affect systems prior to OS X Lion.
CVE-ID
CVE-2011-3246 : Erling Ellingsen of Facebook

Security Scripts For Os X Download

CoreFoundation
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Viewing a maliciously crafted website or e-mail message may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in CoreFoundation's handling of string tokenization. This issue does not affect OS X Lion systems. This update addresses the issue through improved bounds checking.
CVE-ID
CVE-2011-0259 : Apple

CoreMedia
Available for: OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1
Impact: Visiting a maliciously crafted website may lead to the disclosure of video data from another site
Description: A cross-origin issue existed in CoreMedia's handling of cross-site redirects. This issue is addressed through improved origin tracking.
CVE-ID
CVE-2011-0187 : Nirankush Panchbhai and Microsoft Vulnerability Research (MSVR)

CoreMedia
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in the handling of QuickTime movie files. These issues do not affect OS X Lion systems.
CVE-ID
CVE-2011-0224 : Apple

CoreProcesses
Available for: OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1
Impact: A person with physical access to a system may partially bypass the screen lock
Description: A system window, such as a VPN password prompt, that appeared while the screen was locked may have accepted keystrokes while the screen was locked. This issue is addressed by preventing system windows from requesting keystrokes while the screen is locked. This issue does not affect systems prior to OS X Lion.
CVE-ID
CVE-2011-0260 : Clint Tseng of the University of Washington, Michael Kobb, and Adam Kemp

CoreStorage
Available for: OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1
Impact: Converting to FileVault does not erase all existing data
Description: After enabling FileVault, approximately 250MB at the start of the volume was left unencrypted on the disk in an unused area. Only data which was present on the volume before FileVault was enabled was left unencrypted. This issue is addressed by erasing this area when enabling FileVault, and on the first use of an encrypted volume affected by this issue. This issue does not affect systems prior to OS X Lion.
CVE-ID
CVE-2011-3212 : Judson Powers of ATC-NY

File Systems
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1
Impact: An attacker in a privileged network position may manipulate HTTPS server certificates, leading to the disclosure of sensitive information
Description: An issue existed in the handling of WebDAV volumes on HTTPS servers. If the server presented a certificate chain that could not be automatically verified, a warning was displayed and the connection was closed. If the user clicked the 'Continue' button in the warning dialog, any certificate was accepted on the following connection to that server. An attacker in a privileged network position may have manipulated the connection to obtain sensitive information or take action on the server on the user's behalf. This update addresses the issue by validating that the certificate received on the second connection is the same certificate originally presented to the user.
CVE-ID
CVE-2011-3213 : Apple

IOGraphics
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: A person with physical access may be able to bypass the screen lock
Description: An issue existed with the screen lock when used with Apple Cinema Displays. When a password is required to wake from sleep, a person with physical access may be able to access the system without entering a password if the system is in display sleep mode. This update addresses the issue by ensuring that the lock screen is correctly activated in display sleep mode. This issue does not affect OS X Lion systems.
CVE-ID
CVE-2011-3214 : Apple

iChat Server
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1
Impact: A remote attacker may cause the Jabber server to consume system resources disproportionately
Description: An issue existed in the handling of XML external entities in jabberd2, a server for the Extensible Messaging and Presence Protocol (XMPP). jabberd2 expands external entities in incoming requests. This allows an attacker to consume system resources very quickly, denying service to legitimate users of the server. This update addresses the issue by disabling entity expansion in incoming requests.
CVE-ID
CVE-2011-1755

Kernel
Available for: OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1
Impact: A person with physical access may be able to access the user's password
Description: A logic error in the kernel's DMA protection permitted firewire DMA at loginwindow, boot, and shutdown, although not at screen lock. This update addresses the issue by preventing firewire DMA at all states where the user is not logged in.
CVE-ID
CVE-2011-3215 : Passware, Inc.

Kernel
Available for: OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1
Impact: An unprivileged user may be able to delete another user's files in a shared directory
Description: A logic error existed in the kernel's handling of file deletions in directories with the sticky bit.
CVE-ID
CVE-2011-3216 : Gordon Davisson of Crywolf, Linc Davis, R. Dormer, and Allan Schmid and Oliver Jeckel of brainworks Training

libsecurity
Available for: OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1
Impact: Viewing a maliciously crafted website or e-mail message may lead to an unexpected application termination or arbitrary code execution
Description: An error handling issue existed when parsing a nonstandard certificate revocation list extension.
CVE-ID
CVE-2011-3227 : Richard Godbee of Virginia Tech

Mailman
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Multiple vulnerabilities in Mailman 2.1.14
Description: Multiple cross-site scripting issues existed in Mailman 2.1.14. These issues are addressed by improved encoding of characters in HTML output. Further information is available via the Mailman site at http://mail.python.org/pipermail/mailman-announce/2011-February/000158.html This issue does not affect OS X Lion systems.
CVE-ID
CVE-2011-0707

MediaKit
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Opening a maliciously crafted disk image may lead to an unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in the handling of disk images. These issues do not affect OS X Lion systems.
CVE-ID
CVE-2011-3217 : Apple

Open Directory
Available for: OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1
Impact: Any user may read another local user's password data
Description: An access control issue existed in Open Directory. This issue does not affect systems prior to OS X Lion.
CVE-ID
CVE-2011-3435 : Arek Dreyer of Dreyer Network Consultants, Inc, and Patrick Dunstan at defenseindepth.net

Open Directory
Available for: OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1
Impact: An authenticated user may change that account's password without providing the current password
Description: An access control issue existed in Open Directory. This issue does not affect systems prior to OS X Lion.
CVE-ID
CVE-2011-3436 : Patrick Dunstan at defenceindepth.net

Open Directory
Available for: OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1
Impact: A user may be able to log in without a password
Description: When Open Directory is bound to an LDAPv3 server using RFC2307 or custom mappings, such that there is no AuthenticationAuthority attribute for a user, an LDAP user may be allowed to log in without a password. This issue does not affect systems prior to OS X Lion.
CVE-ID
CVE-2011-3226 : Jeffry Strunk of The University of Texas at Austin, Steven Eppler of Colorado Mesa University, Hugh Cole-Baker, and Frederic Metoz of Institut de Biologie Structurale

PHP
Available for: OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1
Impact: Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution
Description: A signedness issue existed in FreeType's handling of Type 1 fonts. This issue is addressed by updating FreeType to version 2.4.6. This issue does not affect systems prior to OS X Lion. Further information is available via the FreeType site at http://www.freetype.org/
CVE-ID
CVE-2011-0226

PHP
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1
Impact: Multiple vulnerabilities in libpng 1.4.3
Description: libpng is updated to version 1.5.4 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution. Further information is available via the libpng website at http://www.libpng.org/pub/png/libpng.html
CVE-ID
CVE-2011-2690
CVE-2011-2691
CVE-2011-2692

PHP
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Multiple vulnerabilities in PHP 5.3.4
Description: PHP is updated to version 5.3.6 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution. This issues do not affect OS X Lion systems. Further information is available via the PHP website at http://www.php.net/
CVE-ID
CVE-2010-3436
CVE-2010-4645
CVE-2011-0420
CVE-2011-0421
CVE-2011-0708
CVE-2011-1092
CVE-2011-1153
CVE-2011-1466
CVE-2011-1467
CVE-2011-1468
CVE-2011-1469
CVE-2011-1470
CVE-2011-1471

postfix
Aug 21, 2017 IBM Lotus Notes Client 9.0.1 on macOS Sierra. Thread starter mariana888; Start date Jan 20, 2017; Tags ibm lotus notes macos. To install IBM lotus notes client. I have Notes 9.0.1 which I have been using in my old MBP (with El Capitan) and I have a few fixes for it too. Unfortunately I never get that far. IPad, and Mac platforms. Lotus notes for mac sierra.
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Multiple vulnerabilities in Postfix
Description: Postfix is updated to version 2.5.14 to address multiple vulnerabilities, the most serious of which may allow an attacker in a privileged network position to manipulate the mail session to obtain sensitive information from the encrypted traffic. These issues should not affect OS X Lion systems. More information is available via the Postfix site at http://www.postfix.org/announcements/postfix-2.7.3.html
CVE-ID
CVE-2011-0411
CVE-2011-1720

python
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1
Impact: Multiple vulnerabilities in python
Description: Multiple vulnerabilities existed in python, the most serious of which may lead to arbitrary code execution. This update addresses the issues by applying patches from the python project. Further information is available via the python site at http://www.python.org/download/releases/
CVE-ID
CVE-2010-1634
CVE-2010-2089
CVE-2011-1521

QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in QuickTime's handling of movie files.
CVE-ID
CVE-2011-3228 : Apple

QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in the handling of STSC atoms in QuickTime movie files. This issue does not affect OS X Lion systems.
CVE-ID
CVE-2011-0249 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero Day Initiative

QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in the handling of STSS atoms in QuickTime movie files. This issue does not affect OS X Lion systems.
CVE-ID
CVE-2011-0250 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero Day Initiative

QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in the handling of STSZ atoms in QuickTime movie files. This issue does not affect OS X Lion systems.
CVE-ID
CVE-2011-0251 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero Day Initiative

QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in the handling of STTS atoms in QuickTime movie files. This issue does not affect OS X Lion systems.
CVE-ID
CVE-2011-0252 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero Day Initiative

QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: An attacker in a privileged network position may inject script in the local domain when viewing template HTML
Description: A cross-site scripting issue existed in QuickTime Player's 'Save for Web' export. The template HTML files generated by this feature referenced a script file from a non-encrypted origin. An attacker in a privileged network position may be able to inject malicious scripts in the local domain if the user views a template file locally. This issue is resolved by removing the reference to an online script. This issue does not affect OS X Lion systems.
CVE-ID
CVE-2011-3218 : Aaron Sigel of vtty.com

QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in QuickTime's handling of H.264 encoded movie files.
CVE-ID
CVE-2011-3219 : Damian Put working with TippingPoint's Zero Day Initiative

QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1
Impact: Viewing a maliciously crafted movie file may lead to the disclosure of memory contents
Description: An uninitialized memory access issue existed in QuickTime's handling of URL data handlers within movie files.
CVE-ID
CVE-2011-3220 : Luigi Auriemma working with TippingPoint's Zero Day Initiative

QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: An implementation issue existed in QuickTime's handling of the atom hierarchy within a movie file.
CVE-ID
CVE-2011-3221 : an anonymous researcher working with TippingPoint's Zero Day Initiative

QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1
Impact: Viewing a maliciously crafted FlashPix file may lead to an unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in QuickTime's handling of FlashPix files.
CVE-ID
CVE-2011-3222 : Damian Put working with TippingPoint's Zero Day Initiative

QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1
Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in QuickTime's handling of FLIC files.
CVE-ID
CVE-2011-3223 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero Day Initiative

SMB File Server
Available for: OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1
Impact: A guest user may browse shared folders
Description: An access control issue existed in the SMB File Server. Disallowing guest access to the share point record for a folder prevented the '_unknown' user from browsing the share point but not guests (user 'nobody'). This issue is addressed by applying the access control to the guest user. This issue does not affect systems prior to OS X Lion.
CVE-ID
CVE-2011-3225

Tomcat
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Multiple vulnerabilities in Tomcat 6.0.24
Description: Tomcat is updated to version 6.0.32 to address multiple vulnerabilities, the most serious of which may lead to a cross site scripting attack. Tomcat is only provided on Mac OS X Server systems. This issue does not affect OS X Lion systems. Further information is available via the Tomcat site at http://tomcat.apache.org/
CVE-ID
CVE-2010-1157
CVE-2010-2227
CVE-2010-3718
CVE-2010-4172
CVE-2011-0013
CVE-2011-0534

User Documentation
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: An attacker in a privileged network position may manipulate App Store help content, leading to arbitrary code execution
Description: App Store help content was updated over HTTP. This update addresses the issue by updating App Store help content over HTTPS. This issue does not affect OS X Lion systems.
CVE-ID
CVE-2011-3224 : Aaron Sigel of vtty.com and Brian Mastenbrook

Web Server
Available for: Mac OS X Server v10.6.8
Impact: Clients may be unable to access web services that require digest authentication
Description: An issue in the handling of HTTP Digest authentication was addressed. Users may be denied access to the server's resources, when the server configuration should have allowed the access. This issue does not represent a security risk, and was addressed to facilitate the use of stronger authentication mechanisms. Systems running OS X Lion Server are not affected by this issue.

X11
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7 and v10.7.1, OS X Lion Server v10.7 and v10.7.1
Impact: Multiple vulnerabilities in libpng
Description: Multiple vulnerabilities existed in libpng, the most serious of which may lead to arbitrary code execution. These issues are addressed by updating libpng to version 1.5.4 on OS Lion systems, and to 1.2.46 on Mac OS X v10.6 systems. Further information is available via the libpng website at http://www.libpng.org/pub/png/libpng.html
CVE-ID
CVE-2011-2690
CVE-2011-2691
CVE-2011-2692

Security is often overlooked when writing shell scripts. Many programmers ignore shell script security under the assumption that anything an attacker can do by attacking a script can be achieved more easily by simply executing the commands themselves. This is not true, however, when the script takes input from an untrusted third party:

Shell scripts running as CGI scripts on a web server take input from the network.
Shell scripts that read files and take actions based on their contents may take input from untrusted files.
Shell scripts that perform web queries (with curl, for example) or other network requests may take input from untrusted servers or clients.

Further, most security problems are also correctness bugs even if someone is not trying to attack your code.

This chapter describes a few common mistakes in scripting, shows how these vulnerabilities can be exploited, and explains how to prevent these attacks in your scripts.

This chapter also describes how UNIX permissions and POSIX access control lists (ACLs) affect your scripts and how to manipulate those permissions and ACLs in your scripts.

Environment Attacks

Environment variable attacks are the most common way to manipulate script behavior. By manipulating the environment of a script, you can change its behavior if the script depends on the values of those environment variables.

Although they are less harmful for scripts these days (because scripts cannot be run setuid in any modern OS), they can still cause incorrect behavior. For setuid binaries, they are even more dangerous. These attacks can also be harmful in a multiuser setting if one user gains the ability to modify the login scripts of another user through a bug or incorrect configuration.

The most common environment attack is modifying the PATH environment variable. This variable controls what gets executed when you type a command without giving the full path.

Consider the following code:

The attack:

Create an executable binary or script that does something harmful and name it “ls”. Then do this:

Because the path to the malicious binary is first in the search path, the malicious ls command gets executed instead of the real one.

Mitigation:

Always specify absolute or relative paths when executing binaries or other scripts. If your script runs other scripts or binaries that do not use absolute or relative paths internally, you should explicitly set the value of the PATH environment variable in your scripts to prevent problems.

Attacks On Files In Publicly Writable Directories

Files in publicly writable directories, including temporary files, are vulnerable to attack by substituting a malicious file in place of the file your script intended to read or write.

Temporary File Attack

The simplest example of this attack is a tool storing secret information into a temporary file.

Consider the following code:

The attack:

Create a tool that watches for the file /tmp/mysecretdata to appear. (Although this can be done with a shell script, it probably won’t be fast enough to work very often. Use the File System Events API in C instead.)

Upon detecting the existence of the path, do this:

If the attacker manages to open the file before the script executes the chmod command, it can continue to read data from the file for as long as it keeps the file open.

Mitigation:

There are two things you must do to fix this:

Always use the umask command to specify initial permissions on the file when you create it.
Always create temporary files with the mktemp command. This creates a new file with the specified template, ensuring that a file or symbolic link with that name does not already exist.

For example:

However, assuming you actually intend to use the data again in the future, this mitigation is probably not sufficient either, for the reasons described in the next attack.

Input File Attack

A similar attack can be performed on files used as inputs to shell scripts.

Windows Os Security

Consider a script that executes the following code:

This script sends the contents of a temporary file to port 3333 of another computer at IP number 192.168.1.102 using the nc utility.

The attack:

Create a tool that watches for the file /tmp/mydata to appear. (Although this can be done with a shell script, it probably won’t be fast enough to work very often. Use the File System Events API in C instead.)

Upon detecting the existence of the path, do this:

If the attacker manages to do this before the script reads the file, then your secret password (presumably 12345, from the previous script) is sent unencrypted over port 3333. The attacker can then sniff for traffic on that port, and can log into your account (or at least unlock your luggage).

Mitigation:

This is particularly troublesome to mitigate because UNIX tools inherently follow symbolic links. The only way to solve the problem is to avoid writing the actual files into public directories. You should do this as follows:

Always create temporary directories with the mktemp command, then create your actual temporary files inside those directories. By doing this, you can set restrictive permissions on the directory that will prevent an attacker from deleting your files and replacing them.
If you specify the -d flag, the mktemp command creates a new directory with the specified template, ensuring that a file or directory with that name does not already exist.
Always use the umask command to specify initial permissions on files and directories when you create them.

Security Scripts

For example:

Injection Attacks

The most common type of attack in shell scripts is the injection attack. This type of attack occurs when arguments stored in user-provided variables are passed to commands without proper quoting.

Simple Example

Consider the following example:

This code has two security holes. Can you spot them?

if [ x$FOO = xfoo ] ; then
This statement allows for an injection attack on FOO.
The attack:
Pass “foo = xfoo -o x” as the value for FOO.
Despite the fact that the value of FOO is not “foo”, the statement executes anyway. Depending on what this test does, this could potentially cause unexpected behavior.
Mitigation:
To fix this bug, change the if statement to read:
eval $BAR
This is a no-no. Never run eval on data passed in by a user unless you have very, very carefully sanitized it (and if possible, use a whitelist to limit the allowed values).
The attack:
Pass a dangerous command for BAR.
Mitigation:
Just don’t do that.

Subtle Example

The following example is more subtle. Instead of running eval, it writes data to a script, but does so without protecting the values:

The attack:

Pass the value “; rm randomfile” to cause this script to delete a file.

The Wrong Mitigation:

You might be tempted to fix this bug by changing the echo and execution lines to read:

However, this still does not solve the problem because FOO is expanded immediately, which means that if the value of FOO contains a quotation mark—for example, “';rm randomfile ; echo '”, you now have a different (but equally bad) security hole.

Correct Mitigation #1:

One way to fix this bug is to change the echo line to read:

This causes the variable FOO to be expanded when the script is executed. However, this works only if the variable FOO is exported, because otherwise the variable FOO would expand to nothing in the second script.

Correct Mitigation #2:

Another way to fix this bug is to change the echo line to read:

By using single quotes around the string in the secondary script, the only character relevant to the shell is the single quote character. The sed command then replaces any single quote characters in the string with a closing single quote followed by a single quote wrapped in double quotes followed by an opening single quote.

Backwards Compatibility Example

The following example is not dangerous in modern shells, but is dangerous in older Bourne shells:

The attack:

Pass the value “; rm randomfile” to cause this script to delete a file in older shells.

Most modern shells parse the statement prior to any variable substitution, and are thus unaffected by this attack. However, for proper security when your script is run on older systems (not to mention avoiding a syntax error if the filename contains spaces), you should still surround the variable with double quotes.

Mitigation:

To fix this bug, change the echo line to read:

Authentication Attacks

In general, you should not rely on a script to determine whether a user does or does not have permission to do something. It is clumsy and error-prone. It is possible to do so, however, and there are right and wrong ways to do it.

The wrong way:

This code has three security bugs, and they’re all caused by using variables in ways that are unsafe. For historical compatibility, the OS provides the UID, USER, and HOME environment variables. They are quite useful as long as you aren’t using them for security reasons.

The attack:

Even though most modern Bourne shells protect against modifying UID, the USER variable is unprotected, and not all shells protect the UID variable, either.

Fortunately, the script just changed into a directory. Combined with another exploitable attack such as an injection attack, however, this could be exploited in bad ways.

Mitigation:

To obtain the user ID:

To obtain the username:

To obtain the actual home directory:

Note that this method for obtaining the home directory is specific to OS X.

Permissions and Access Control Lists

OS X uses the UNIX permissions model, extended by POSIX access control lists. These permissions models are described in detail in the OS X File System Security section of File System Programming Guide. This section assumes that you are already at least peripherally familiar with the concept of users and groups.

Examining File Permissions

UNIX permissions are visible to users in Terminal and in the Finder’s Get Info window. In Terminal, you can easily look at the permissions in a human-readable format by using the ls command as follows:

The left character indicates whether the file system object is a file (-), directory (d), symbolic link (l), block (b) or character (c) special file, named pipe (p), or UNIX domain socket (s).

The next three characters show the Owner permissions, followed by the Group permissions, and finally, the Other permissions as listed in the following table:

Permissions flag	Octal Bit Value	Meaning
-	n/a	No permission
r	4	Read permission
w	2	Write permission
x	1	Execute permission
s	In the optional first octal digit: 4—setuid 2—setgid	Setuid or setgid with execute permission
S	See above.	Setuid or setgid `without` execute permission
t	In optional first octal digit: 1	Sticky bit

The complete set of permissions is often expressed in octal, as defined by the bits in the table above. The first digit includes the sticky bit and setuid and setgid bits. If zero, you may omit it when passing the value to most commands. The remaining three digits contain the Owner (user), Group, and Other permissions, respectively.

For example, a file that is setuid and setgid, with read/write/execute Owner permissions and read/execute Group and Other permissions, the octal equivalent is 6755:

The leading special permissions value is 6, which is the bitwise OR of setuid (4) and setgid (2).
The Owner permission is 7, which is the bitwise OR of the read (4), write (2), and execute (1) bits.
The Group and Other permissions are both 5, which is the bitwise OR of the read (4) and execute (1) permissions.

To show the UNIX permissions of a file, use the stat command as follows:

Ignore all but the last four digits returned.

Changing File Ownership and Permissions

The ability to change file ownership and permissions is limited by the operating system for security and quota reasons. Users can:

Change the permissions for any file that they own.
Change the group for any file that they own to any group that they are a member of.

Non-root users cannot:

Change permissions on files owned by anyone else.
Change the group of a file to a group that they are not a member of.
Change the owner of any file.

The root user can change permissions and ownership arbitrarily except when blocked by BSD file system flags.

With those restrictions in mind, the sections that follow describe how to change permissions and change user and group ownership of files and directories.

Use chown and chgrp to Change User and Groups Ownership

You can change the owner of a file or directory with the chown command:

You can change the group for a file with either the chown command or the chgrp command:

You can also change both owner and group simultaneously:

For more information, see the manual pages for chown and chgrp.

Use chmod to Change File and Directory Permissions

OS X (and other UNIX-based operating systems) provide the chmod command for changing the permissions of files and directories.

The chmod command, short for “change mode”, is so named because it allows you to modify file or directory modes. A mode is a three-digit or four-digit octal representation of the UNIX permissions for a file (or 4-5 digits in languages that require a leading zero, such as C).

There are two basic ways you can use the chmod command: numeric modes and human-readable flags.

Most users use chmod in its human-readable form:

This command tells chmod to add read (r) and write (w) access to the existing set of permissions for all users (a). So if the permissions were originally r-x--x-w-, the resulting permissions would be rwxrwxrw-.

You can also add and subtract permissions for the owning user (u), the group (g), or other users (o) separately. For example, to add read (r), write (w), and execute (x) permission for the owning user and take it away from members of the owning group and everyone else, you could issue either of the following commands:

Similarly, you can set the User, Group, or Other permissions without regard to what bits were set before by using equals. For example, to set group permissions to read, no-write, no-execute, you could issue the following command:

Finally, to make an executable run setuid (u+s) and setgid (g+s), you might execute a command like one of the following:

Alternatively, if you know the numeric file mode you want to apply (see Examining File Permissions for details), you can pass the chmod command either a three-digit or four-digit mode value:

The chmod command can also be used to modify POSIX access control lists (ACLs). This use is described later, in Use chmod to Modify Access Control Lists.

Use chflags to Set Special File Permission Flags

In addition to the standard permission flags, OS X has a few special permission flags that can be set using the chflags or lchflags command (or with the chflags or fchflags API in C). These flags are described in the OS X File System Security section of File System Programming Guide.

The permissions flags set with chflags take precedence over any permissions granted by normal UNIX permissions or access control lists.

The usage of the chflags command is fairly straightforward. For example, to make a file immutable (so that it cannot be moved, renamed, deleted, or modified), you can issue one of the following commands:

Notice that the flag comes in two variants: the user flag and the system flag. The user flag can be changed by the file’s owner and root (just like normal permissions). The system flag can be changed solely by root.

To undo this change, you would issue one of the following commands:

For cross-platform compatibility and readability reasons, OS X supports two other variations on each of these flags: uchange, uimmutable, schange, and simmutable. These variants behave identically to their shortened forms.

There are several other flags you can set with the chflags command, the most common being the user and system append-only flags (uappnd/uappend and sappnd/sappend, respectively).

For more information, read the chflags and lchflags manual pages and the OS X File System Security section of Security Overview.

Use chmod to Modify Access Control Lists

The chmod command is most commonly known for its ability to modify UNIX permissions. However, in OS X, it also does double duty, providing the scripting interfaces for modifying a file’s POSIX access control lists (ACLs).

The basic concept of ACLs is fairly straightforward. An access control list is a list of rules (access control entries, or ACEs).

Each entry grants or denies the right to access a file or directory in a particular way (the right to read the file, for example).
For any given right, the first entry in the list that matches against the current user’s user ID or group membership wins.
If the end of the list is reached without matching anything, the file or directory’s UNIX permissions are used to determine access.

This is a greatly simplified explanation; for full details, read the OS X File System Security section of Security Overview.

Each ACL entry looks like this:

where username and groupname are the names of a user or group, respectively, and rightname is the name of an access right (read, for example).

You can add an access control entry with the +a flag to chmod. For example, to deny read access on a file to the MySQL user, you would type:

To see the results of your changes, type:

By default, new access control list entries are appended to the end of the list. If you need to insert an access control elsewhere in the list, you can use the +a# flag. For example, to insert a new rule at position zero (the top of the list), you would issue a command like this one:

You can delete an access control entry with the -a flag like this:

This command deletes any entry that is an exact match for the specified rule.

Finally, you can replace an entry with another entry using the =a# flag. For example, to change the username in the rule inserted above from _www to _mdnsresponder, you would type:

In addition to the basic rules described above, the ACL system in OS X supports inheritance. Any inherited ACL entries for a directory are automatically copied to any new files created within that directory at the time of creation.

You can specify:

whether an ACL should be inherited by:
- enclosed files—file_inherit right
- directories—directory_inherit right
- both—file_inherit,directory_inherit right
- neither (the default).
whether an ACL should be inherited by the children of enclosed directories (the default) or not (limit_inherit right).
whether an ACL should apply to the directory itself (the default) or merely be inherited by things inside it (only_inherit right).

You can specify any combination of these flags in an access control entry for a directory by passing the flags as part of the rights list.

For example:

This rule prevents the _www user from listing the directory’s contents. It also prevents the _www user from accessing any files within the specified directory even with an exact name lookup (search). The rule is inherited by any new directory created inside the specified directory (and any directory created inside that one, and so on), but is not inherited by ordinary files.

Note: Inheritance flags apply exclusively to access control entries for directories. You cannot set these flags on files.

Cross-platform Compatibility Note:Command-line tools behavior for modifying access control lists is not standardized. For tips on handling this across multiple platforms, see Access Control List (ACL) Management in Designing Scripts for Cross-Platform Deployment.

For more information about the ACL scheme in OS X is described in OS X File System Security section of Security Overview. For more information about the command-line flags for getting and setting ACLs, see the manual page for chmod.

Securing Temporary Files

Because the temporary directories in OS X and other UNIX-based operating systems are world-writable, you must take care to ensure that you are modifying the file you think you are modifying.

For example, the following code has two serious bugs:

An application that happens to get the timing right can create a file called /tmp/mytempfile right after the script checks for its existence, wait for the script to write data into it, and subsequently steal the password. The chmod command would produce an error in this case, but because the script doesn’t check the result code, the error is moot.

To solve this problem, always use the mktemp command to create temporary files. The mktemp command creates files with initial permissions of 0600, and never returns an existing file. (Using mktemp also provides an easy way to obtain a known-unique filename, potentially avoiding unexpected behavior caused by temp file collisions.)

Important: Although OS X does not use a privileged helper to clean up temporary files (except during a reboot), some operating systems do. If a script could potentially take a long time to execute without modifying a temporary file, such privileged cleanup helpers can open up a security vulnerability by deleting the existing temp file out from under your script.

Because of this risk, system-provided temporary directories should only be used to store sensitive data briefly. You should do as little work as possible between creating the file and using it, and should clean up the file as soon as possible afterwards.

Further, if you suspend your scripts for any significant period of time, your scripts must create any sensitive temporary files in a non-world-writable directory.

You should avoid writing sensitive data out to temporary files at all if you can possibly avoid it.

Flags That Affect Security (and Correctness)

The set builtin (described in the sh man page) sets a number of shell features that can be used to reduce the risk posed by certain types of common programming mistakes. These flags allow your scripts to automatically exit if an unset variable is expanded, automatically exit if any simple commands fail, or automatically export variables.

In addition, the BASH shell provides a flag that causes pipes to return a nonzero exit status when any command in the chain of pipes exits with an error instead of always returning the exit status of the last command. It also supports a flag that limits the effect of environment variables on the interpreter, intended for use in scripts that are expected to be run as a privileged user (for example, the root user).

Detecting Unset Variables

By default, the Bourne shell treats unset variables as empty (unlike csh). If your script expects that unset variable to contain a value, this can lead to incorrect script execution and, depending on the script, may even result in a security hole. To guard against this, you can issue the following command:

With this flag set, if your script tries to use an empty variable, the shell prints an error message, and the entire script exits immediately with a nonzero exit status.

Note: If your script changes its behavior deliberately based on the presence or absence of one or more environment variables, you should typically perform those tests before you set this flag.

If desired, you can later restore the default behavior with the following command:

Checking Exit Status Automatically

For very simple scripts, checking the exit status of each command can be tedious. You can greatly simplify these scripts by instead issuing the following command:

With this flag set, if any simple command exits with a nonzero exit status, the shell terminates with that command’s exit status. A simple command is defined as a command that includes no pipes or lists, that is not executed as part of a control statement, and whose exit status is not inverted with an exclamation point.

Important: Because there are many situations in which errors can be masked (particularly in pipes and lists), this flag is not a substitute for proper error checking in complex scripts.

If desired, you can later restore the default behavior with the following command:

Exporting Variables Automatically

It is not always necessary to export variables that your script uses internally. However, if a child process depends on the values of those variables, they must be exported. In some cases, failing to export a variable could even result in a security hole if it causes the child to grant a user access that they would otherwise not have. For example, if a CGI script running in a web server environment provides additional limits on what files a remote user can access, a bug in that script might give the user access to other files.

You can, if desired, tell the shell to automatically export any variable that your script sets by issuing the following command:

Warning: Automatically exporting variables can also cause a security hole by exporting variables containing sensitive data, such as internal passwords and application keys, into the environments of every command that your script executes. If the output of those commands could be seen by an untrusted user—commands executed by a CGI script, for example—then you risk leaking sensitive data. For this reason, you should avoid setting this flag if your script contains any sensitive data, such as internal passwords or application keys.

If desired, you can later restore the default behavior with the following command:

Retrieving the Exit Status of Piped Commands in BASH

The exit status of a series of commands connected by pipes is, by default, the exit status of the rightmost command. If you do not examine the output from the final command to ensure that it makes sense, this default behavior can potentially mask errors that might lead to security problems.

(The Terminal command used here assumes the drive is named Untitled.) Also, make sure the Yosemite installer, called Install OS X Yosemite.app, is in its default location in your main Applications folder (/Applications). Using the createinstallmedia command in Terminal IDG Here are the required steps:. This means that if you moved it before installing Yosemite, you need to move it back before making your installer disk. Connect to your Mac a properly formatted 8GB (or larger) drive, and rename the drive Untitled. If you need to create a Yosemite beta install drive while booted into Snow Leopard, you should use the Disk Utility instructions, below. Nut for mac os x 10 13 download.

For example, consider the following code:

In the first command, even though the ls command fails, the cat command does not care whether it received any input or not, and thus exits with a zero exit status. As a result, the pipe’s exit status is zero. If it is critical to know whether the first command failed (for example, if it performs an operation with an important side effect, such as removing a file on disk), then this is potentially unsafe.

There are many ways that you can fix this problem. The most obvious fix is to store the results of the first command into a variable temporarily, check the result code of the first command, and then use echo to pipe the results to the second command. This technique is often less than ideal for commands that take a long time to execute or produce large amounts of output, however, because the second command does not receive any data until after the first command exits. The performance impact is particularly noticeable if the output of the final command is expected to be read by the user.

As an alternative, in BASH, you can issue the following command before issuing the commands above:

After issuing this command, the pipe’s exit status is provided by the rightmost command that failed with a nonzero exit status, or zero if every command in the chain of pipes exited successfully. In the earlier example, the final echo command would print the number 1 (the exit status of the ls command).

Note: This feature is specific to BASH and is not supported by other Bourne shell implementations. If you use this feature, you should change the interpreter line to the following:

If you are writing a script that must be portable to other sh implementations, you cannot use this setting. Instead, either store the results in an intermediate variable or file, or check the final result carefully to ensure that it makes sense.

If desired, you can later restore the default behavior with the following command:

Sanitizing the Environment in BASH

For BASH shell scripts (or Bourne shell scripts running in BASH) that must run in a privileged environment (as the root user, for example), it is a good idea to tell the shell to not automatically execute any “run commands” files (.bashrc, .profile, and so on) that may contain alias commands that affect script execution, functions that may override commands in your script, or even malicious commands that an attacker wants your script to execute while running as the root user.

To sanitize the script’s environment in this way, you should change your script’s interpreter line to the following:

In this mode, the scripts referenced by the ENV and BASH_ENV environment variables are not executed, shell functions are not inherited, and the SHELLOPTS environment variable is ignored.

Note: Although you can theoretically set this value with the set builtin, by the time your script actually starts running commands, the damage is already done. For this reason, you should always set this flag in the interpreter line.

Also, you should be aware that this flag is specific to BASH, and is not broadly available in other shells.