Home » Learning Curve
[HELP REQ] Bypassing admin password on install copyFrom the forum.
> We know that 99% of software has no business asking for our system password(passphrase).
Not only that: it's also a matter of what they do with it. Many ISV noobs passed it on the command line, making it easy for intruders to pick it up (through process lists etc). Those that need it, truly need it, are those who have to put something somewhere that requires authentication.
There are other scenarios as well.
Harken back to the days of Opener to see how such things were abused. The author of Opener, a very sweet girl, wanted to impress on people the need for security. But Apple wouldn't listen. Thus Opener. The Opener script is a cornucopia of ways ISVs and the system itself plays abusively with passwords.
> There's usually no need for dropping anything in /Applications anyway
Nope. How this started is a curious matter. We've written extensively about it, because /Applications is a mess waiting to happen. From 'repair permissions' to the Month of Apple Bugs where it was discovered there were fatal flaws in Apple's own repair script, to just general confusion. All the while, of course, that the system itself admits of and looks for applications in myriad locations - and no one bothers informing users of this. Something like the one-tier dock. Keep it simple, even if it's a harmful policy.
> and instead we create a nice place in the user's directory, such as ~/Applications or wherever you like
We recommend that, yes. Unless you want to share it, in which case you use /Applications. It should be noted that Apple have software all over the place, not only in /Applications. They could easily create something under /System (in addition to CoreServices, which is a bit of a misnomer) which was always observed.
> I've done a lot of searching around online and learned how to extract payloads from .pkg installers to bypass admin passwords
Ah haha. They be dangerous critters, those Installer packages!
> I recently came across an installer for which I couldn't find a workaround. 'Lulu' by Objective-See
This? Hrm!
https://objective-see.com/products/lulu.html
https://github.com/objective-see/LuLu
> similar to Little Snitch for preventing phone calls home
Yes.
> I can block some things through my hosts file, but since I'm not a programmer it's nice to have something prompting me when there's an application attempting to call out. Anyway, what I can gather is that the installer wants to insert a startup daemon (which makes sense to ensure Lulu is monitoring network traffic from the boot onwards), thus requiring admin access (yes, no?).
Depends. More than root before complete boot. Known as 'single user mode' (SUM). There are no users, not even root, at that point (Opener was aware of that too). But yes, something in LaunchAgents or LaunchDaemons. (Check the script if there is one, or check Tracker's output.)
> How could I install such a software without giving away my administrator password? Is there a way, a workaround? I've done a lot of searching with no results.
Two scenarios. In both cases you need to submit a password, as it's your filesystem needs it. In the one scenario (probably not likely here) that password has to be OK in the future, as the application will be inquiring of your keychain. In the other scenario, all that's needed is to copy in a file or two, including the PLIST config.
> If anyone knows how to keep my system safe it's the crew here at Rixstep.
Gosh. Thanks!
> I'm here to learn, so any advice without judgement is appreciated.
Yes. Keep some marginal time to enjoy too!
> My focus is on how to install certain 'apps' without giving up my password and not how to prevent phoning home; I would prefer to keep that focus. Suggestions and constructive criticisms are welcome. Cheers!
Anytime! And that's good focus!
**
> I tried to install VMWare Fusion 11 Pro into my ~/Applications and still wasn't able to do it locally without dishing out admin credentials.
He probably needs something at low level?
> For a moment I thought perhaps creating a temporary password would allow me to install and then after changing the admin password to something else if there were any malicious actions somehow waiting to be executed at a future time it wouldn't be able without entering the new information.
Yes.
> By this time I can only imagine it would be too late, so it was an idea, albeit asking for problems.
You're always taking a chance, even when accepting, for example, an iTunes or Safari download! But if you know what went wrong and where, then you can recover. Thereof Tracker, as you point out.
> At the end of the day, if there just isn't a secure solution I understand it will all boil down to risk versus reward.
It's always like that. Just minimise the risks!
> On the bright side, at least I know Tracker has my back.
True. Cheers!
Postscript: System Paths
They're not necessarily visible in your system, not to the ordinary user at user level, but they're in there alright. From Rixstep's Lightman, this should give you an indication of how many different types of paths your system is aware of.
And the ordinary paths for applications for ordinary users:
Paths
-----
NSAllDomainsMask, NSAllApplicationsDirectory
(
"~/Applications",
"~/Applications/Utilities",
"~/Developer/Applications",
"~/Applications/Demos",
"/Applications",
"/Applications/Utilities",
"/Developer/Applications",
"/Applications/Demos",
"/Network/Applications",
"/Network/Applications/Utilities",
"/Network/Developer/Applications",
"/Network/Applications/Demos"
)
You can put your software along any of the above paths, and the system will find it automatically (without your having to supply a full path).
See Also
Rixstep Forum: [HELP REQ] Bypassing admin password on install
Industry Watch: Opener 3.9
About RixstepStockholm/London-based Rixstep are a constellation of programmers and support staff from Radsoft Laboratories who tired of Windows vulnerabilities, Linux driver issues, and cursing x86 hardware all day long. Rixstep have many years of experience behind their efforts, with teaching and consulting credentials from the likes of British Aerospace, General Electric, Lockheed Martin, Lloyds TSB, SAAB Defence Systems, British Broadcasting Corporation, Barclays Bank, IBM, Microsoft, and Sony/Ericsson.
Rixstep and Radsoft products are or have been in use by Sweden's Royal Mail, Sony/Ericsson, the US Department of Defense, the offices of the US Supreme Court, the Government of Western Australia, the German Federal Police, Verizon Wireless, Los Alamos National Laboratory, Microsoft Corporation, the New York Times, Apple Inc, Oxford University, and hundreds of research institutes around the globe. See here.
All Content and Software Copyright © Rixstep. All Rights Reserved.
|