About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Home » Learning Curve

A Suggestion

Use what you got. Tomorrow too.

Get It

Try It

This just in.

You seem on top of things concerning osx security but it is also hard for the average OSX user, like my self to do the things you describe. I have a suggestion. Could you not create an app that can check those suid on the entire machine and suggest changes for a safer use? Make it a shareware or donation ware. either way you will benefit and you will contribute to doing the mac community a service which obviously apple do not prioritize. Of such a program needs to be really simple to use and automatic( no user interaction needed) where possible.

Please get back to me if you think this is a good idea.

This sent back.

It's a good idea. That much is true. But we already have software to do this.


You can download a 'test drive' here.


All you have to do is remember to set the 'filter' in Xscan to 'Set User ID'. That's it. Then set your scan root for your root directory, kick back and relax.

> Please get back to me if you think this is a good idea.

:) Well get back to us if that app was helpful. :)

So let's try it.

1. Download

The download link's on the page cited above; here's a direct link. Take the framework in the package and drag it to /Library/Frameworks; take the rest and drag it anywhere you want. [But it's recommended you use ~/Applications and not /Applications and create ~/Applications if you need to - you won't be in a position to have to 'repair permissions' all the time if you avoid /Applications and right now that's something you want to avoid more than ever.]

2. Start Xscan

It's got the bright blue metallic icon. Go to the 'filters' menu and select 'Set User ID' [or hit ⌘6].

[The items on that 'filters' menu are taken directly from the famous 'Hacking Exposed' by Stu McClure et al. They pinpoint the classic weaknesses in a Unix file system. 'Extended Attrs' follows as a successor to Apple resource forks. It too has been a weakness - vis Oompa Loompa et al. Ed.]

Then click the magnifying glass on the toolbar and navigate to your /Applications directory. Later you'll perhaps want to try your /System directory but that seems all right for the moment - you want to concentrate on third party software right now.

Now kick back and relax. It should take but a few seconds. Xscan will find all 'SUID' files at your scan root [/Applications].

You can now select all and drag them over to a text window and work from there.


You can also use the leakd script included in the free CLIX download. The pertinent part is the following.

echo ' 8. SUID root files'
echo -------------------------------------------------
find -x / -type f -perm -04000 -user 0 2>/dev/null

You need only copy out the third (last) line above and run it from the terminal. Redirect the output as you want for further use but as the script runs so fast anyway - and as it's another comprehensive 'Hacking Exposed' look at the classic Unix file system weaknesses - it's probably even better to run the entire script.


  • The ARDAgent security hole represents a serious system flaw. The flaw lies in the fact AppleScript is allowed to 'push' Unix commands through unwitting Cocoa/GUI-based apps which run the commands with their own privileges.

  • Four years ago someone started trying to alert Apple to the danger; they dismissed the alerts; now it turns out Apple themselves have contributed the danger.

  • The only vulnerable app on either Tiger or Leopard is currently ARDAgent and it doesn't seem to produce the (un)desirable results on Tiger.

  • The flaw isn't in ARDAgent - the flaw's in AppleScript and the way it's implemented in the system. Any third party software may end up opening a system the same way ARDAgent did - so it pays to be careful and to audit one's system regularly. And not just now - routine audits such as leakd are always good to perform on a regular basis.

See Also
Industry Watch: You're Root, Dude!
Industry Watch: You're Toast, Dude?
Learning Curve: The First Real Malware?
Learning Curve: Apple Redefine 'Epic FAIL'?
Industry Watch: It's Not New It Starts with 10.2
Apple Developer Connection: AppleScript Overview
Industry Watch: Huge, Crazy, Ridiculous OS X Security Hole
Apple Developer Connection: Apple Events Programming Guide

About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Copyright © Rixstep. All rights reserved.