February 03, 2006
Composer 3.0 makes password available when creating Apple Packages
When creating Apple Packages (.pkg files ) with Composer 3.0 from JAMF software, you password is made available to any other user on the system. To minimize your risks, you should not use Composer 3.0 on multi-user machines.
A similar issue was reported with Casper, Composers parent product, on May 9, 2005.
My curiosity in this was sparked by this press release arrived in my inbox today:
Subject: Composer 3.0 at no charge
for those which didn't know the product , it's now available for free.
Composer 3.0 is a package creation utility for the Mac OS known best for its unrivaled simplicity and power. The ability to point and click to create packages in either the .dmg or .pkg format opens up the world of package creation to all system administrators. Composer creates packages by scanning a target hard drive before and after software installation and then bundles the differences between the two into a Package. In response to the popularity of Composer and community requests for a stand-alone version, JAMF Software decided to release this component of the Casper Suite at no charge.
As a developer of Radmind, I'm always interested in what other products are doing, so I downloaded Composer 3.0 and gave it a try. I then ran through the Composer creation process: taking a snapshot, installing something - I created /Applications/Test, looking for "New and Modified" files, giving it a package name, and building the package. Just for kicks, I also verified the contents, or as I like to call it, used the finder to look in a directory.
During the build process, I noticed that Composer 3.0 was taking a long time, so I ran ps to see what was going on:
root# ps -ax | grep find
5247 ?? S 0:00.01 sh -c /usr/bin/find '/afs' -newer '/Volumes/Users/mcneal/Desktop/Temp/before' >> '/private/tmp/modified'
5248 ?? U 0:00.36 /usr/bin/find /afs -newer /Volumes/Users/mcneal/Desktop/Temp/before
Composer 3.0 had decided to go into afs. All of afs. Since this would take days to complete, if it completed at all, I killed off both of these processes, allowing Composer to finish.
To create the final package, I set package type to "Apple .pkg" and clicked saved, which brought up thi non-standard authentication window:
Typing in my password and clicking okay, I quickly went to the terminal and ran ps:
root# ps -ax | grep PASSWORD
5350 ?? S 0:00.01 sh -c /bin/echo "PASSWORD" | /usr/bin/sudo -S '/Developer/Applications/Utilities/PackageMaker.app/Contents/MacOS/PackageMaker' -build -p '/Volumes/Users/mcneal/Desktop/Temp/te
And there it is, my password echoed to sudo, available for anyone on they system to get.
Posted by mcneal at February 3, 2006 11:17 AM
I'd like to try Composer but wasn't fortunate enough to be one that downloaded the demo when it was available.
Could you contact me to help me out.
Posted by: firstname.lastname@example.org at August 16, 2006 04:41 PM
No - sorry, I'm not in the position to give it out. I'd contact the casper folks.
Posted by: mcneal at August 16, 2006 04:46 PMLogin to leave a comment. Create a new account.