About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Home » Learning Curve

Input Managers — The Cure

There are a lot of snake oil cures for input managers exploits out there. This isn't one of them.
For a full discussion of this issue, visit the CLIX forum.

Get It

Try It

Unix admits of 'extended attributes' which can be used to lock files down in a myriad of ways. Most OS X users are not aware of these attributes and their Finder isn't aware of them either.

To the chase: there are different levels of protection. The first is a speed bump and will work until trojans figure out how to counteract it. The second is totally tight - there should be no way a trojan can get past this ever.

Again: the 'Macintosh savants' with their assorted Oompa lockers won't come close to protecting you - because the authors evidently do not understand how Unix file modes work.

But this one works. It's got to do with the 'extended user defined attributes' (not the xattr gunk). ACP users are familiar with this because the ACP framework offers access to these critters (and it would seem no other file manager for OS X does).

You can do this from the command line too. There are bits in here that do not really need to be set but the extra ones don't hurt.

The commands below will be included in the next update of the ACP as well as the next update of the 'freebie' CLIX.

[Note: you may get the diagnostic 'operation not permitted' when using the most brutal combination for chflags; the command should however have worked. Check your file mode and extended flags again from the command line or with Xfile.]

Level 1

This is the easiest and becomes a speed bump against trojans.

mkdir /Library/InputManagers
chmod 0700 /Library/InputManagers
chflags 017 /Library/InputManagers

This will give you 'speed bump' protection. You should not be able to do anything with those directories - neither remove them or put anything in them.

The catch is that any rogue process running on your account that is aware of your little trick will be able to remove those flags.

If you want to see those flags, then do like this.

ls -adilo /Library/InputManagers

The new column will stick out right away.

Level 2 — Totally Tight

This level is totally tight: if you do this, no one - not even you - will be able to change anything. If you really need an input manager, you will be screwed - unless... [See below.]

To do these operations, you must be root - and you should preferably mark the directories as owned 0700 by root as well.

To undo these operations, you will have to boot into single user mode - so this protection is 'totally tight'.

mkdir /Library/InputManagers
sudo chown 0:0 /Library/InputManagers
sudo chmod 0700 /Library/InputManagers
sudo chflags 1600017 /Library/InputManagers

Note you will have to boot into single user mode to destroy these bits. So you'd better know what you're doing or be prepared to find out when/if the need arises.

OTOH you should be totally impervious to attacks via input managers. The bad guys can neither put things in those directories, remove them first and then create them again with modes better suited to their purposes, or get your box into single user mode.

Level 3 — Tighter Still?

Level 2 is fine unless you are running OS X Panther 10.3.9 or earlier - in which case you may be vulnerable to the BootRooter (Renepo) attack. Then you should use one of the following 'cures'.

This level follows the method used in Tiger: instead of using extended attributes, a sticky bit is placed on the parent directory /Library. The sticky bit prevents rogue code from removing items and then replacing them with more amenable modes.

mkdir /Library/InputManagers /Library/StartupItems
chmod 0755 /Library/InputManagers /Library/StartupItems
sudo chown 0:80 /Library /Library/InputManagers /Library/StartupItems
sudo chmod 1775 /Library

Level 4 — The Tightest?

Use the following and you should have no alternative but to boot into single user mode to take it all away - at least until a new security hole in OS X is found.

Use this especially if you are not running at least OS X 10.4.

mkdir /Library/InputManagers /Library/StartupItems
chmod 0700 /Library/InputManagers /Library/StartupItems
sudo chown 0:0 /Library/InputManagers /Library/StartupItems
sudo chflags 1600017 /Library/InputManagers /Library/StartupItems

See Also
The Chocolate Tunnel
Peeking Inside the Chocolate Tunnel

About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Copyright © Rixstep. All rights reserved.