COMMAND

    'Multiple Users' Control Panel

SYSTEMS AFFECTED

    MacOS 9

PROBLEM

    Todd Kirby found  following.  Mac  OS 9.04 comes  with a 'Multiple
    Users' Control Panel that allows an administrator (called 'Owner')
    to  create  user  accounts  (called  'Normal'  users) with limited
    access to the computer.

    The problem is that the Owner password can be removed by a  Normal
    user by moving the 'Users &  Groups Data File and logging back  in
    using the Owner account, giving full access to the machine.

    As for exploit,  log in as  a Normal user.   Find the file  called
    'Users & Groups Data File'  in the Preferences Folder and  move it
    to another location. Log out and back in using the Owner account.

    Result: No password is required to log in as the Owner user.  User
    now has full access to the computer, including the ability to make
    changes in the 'Multiple Users' control panel.

    The previously moved 'Users & Groups Data File' can be moved  back
    into the Preferences folder to restore the original Owner password
    making detection difficult.

    This has been tested under Mac G3 and G4 with OS 9.04.

    If your  Mac is  configured to  share out  your system folder with
    any level of access, you're screwed regardless of which OS version
    you're running.   As far back  as OS 7.6.1  (and probably earlier)
    your  Users  and  Groups  preferences   file  has  all  user   and
    administrator passwords encoded using wimpy 40-bit DES encryption.
    You don't want any users getting into it.

SOLUTION

    Use 'Limited' instead of  'Normal' when setting up  user accounts.
    This will protect the Preferences folder from being altered.

    Multiple  Users  is  essentially  a   neat  hack  that  allows   a
    fundamentally  single-user  system  to  be  used  by more than one
    "regular" user, not  a real multi-user  system itself.   The major
    design goal  to Multiple  Users security  appears to  be making it
    difficult  for  one  assigned  user  to  screw  up preferences and
    settings for another user of the same system.

    Those  who  rely  on  Multiple  Users  for system security should,
    however, do two things routinely:

        1. Do not allow users to access the System Folder
        2. Do not  assume that the  system is actually  keeping things
           secure

    The above  problem has  been fixed  by Apple  in Macintosh Manager
    1.4.  See the following URLs for the info:

        URL:http://asu.info.apple.com/swupdates.nsf/artnum/n12046/