#Leak #Bug #Apple #Mac #Sandbox #Xaveroz #GrenXPaRTa

1. [INFO] + [BUG]
2.  
3.  
4. apple.com <=== Bug
5.  
6.  
7. /bin/bash
8. /bin/csh
9. /bin/ksh
10. /bin/sh
11. /bin/tcsh
12. /bin/zsh
13.  
14. Hosts localhost Apple
15. +++++++++++++++++++++++++++++++++++++++
16. 127.0.0.1   localhost
17. 255.255.255.255 broadcasthost
18. ::1             localhost
19. +++++++++++++++++++++++++++++++++++++++
20.  
21. ftpusers
22. +++++++++++++++++++++++++++++++++++++++++++
23. # list of users disallowed any ftp access.
24. # read by ftpd(8).
25. Administrator [allowed]
26. administrator [allowed]
27. root <=== critical
28. uucp
29. daemon
30. unknown
31. www <==== eror
32.  
33. Make File for sub dir, and instal_file for -c -m 644 ftpusers [i see for all anything bug]
34.  
35. Makefile   [plain text]
36. Destination = $(DSTROOT)/private/etc
37.  
38. # Common Makefile
39. include $(MAKEFILEPATH)/CoreOS/ReleaseControl/Common.make
40.  
41. # Subdirectories with their own makefiles
42. SubDirs =
43.  
44. install::
45.     $(_v) for subdir in $(SubDirs); do                      \
46.         (cd "$$subdir" && $(MAKE) $@ Destination="$(Destination)/$$subdir");    \
47.           done
48.  
49. install:: install-sysconf install-files
50.  
51. install-sysconf:
52.     @echo "Installing $(Destination)"
53.     $(_v) $(INSTALL_DIRECTORY) "$(Destination)"
54.     $(_v) $(INSTALL_FILE) -c -m 644 afpovertcp.cfg   "$(Destination)/afpovertcp.cfg"
55.     $(_v) $(INSTALL_FILE) -c -m 644 /dev/null    "$(Destination)/find.codes"
56.     $(_v) $(INSTALL_FILE) -c -m 644 ftpusers     "$(Destination)/ftpusers"
57.     $(_v) $(INSTALL_FILE) -c -m 644 fstab.hd     "$(Destination)/fstab.hd"
58.     $(_v) $(INSTALL_FILE) -c -m 644 gettytab     "$(Destination)/gettytab"
59.     $(_v) $(INSTALL_FILE) -c -m 644 /dev/null    "$(Destination)/hosts.lpd"
60.     $(_v) $(INSTALL_FILE) -c -m 644 /dev/null    "$(Destination)/hosts.equiv"
61.     $(_v) $(INSTALL_FILE) -c -m 644 kern_loader.conf "$(Destination)/kern_loader.conf"
62.     $(_v) $(INSTALL_FILE) -c -m 644 motd         "$(Destination)/motd"
63.     $(_v) $(INSTALL_FILE) -c -m 644 /dev/null    "$(Destination)/rmtab"
64.     $(_v) $(INSTALL_FILE) -c -m 644 shells       "$(Destination)/shells"
65.     $(_v) $(INSTALL_FILE) -c -m 644 syslog.conf  "$(Destination)/syslog.conf"
66. ifeq "$(RC_RELEASE)" "Darwin"
67.     $(_v) cat ttys | sed -e 's/^console/##console/' -e 's/^#console/console/' > "$(Destination)/ttys"
68.     $(_v) chmod 644 "$(Destination)/ttys" ; chown root:wheel "$(Destination)/ttys"
69. else
70.     $(_v) $(INSTALL_FILE) -c -m 644 ttys         "$(Destination)/ttys"
71. endif
72.     $(_v) $(INSTALL_FILE) -c -m 644 /dev/null    "$(Destination)/xtab"
73.     $(_v) $(LN) -s /var/run/resolv.conf              "$(Destination)"
74.  
75. # We should stop installing the files which are pulled into NetInfo, but we should
76. # first make sure that doesn't break anything.
77. # - at boot time, we (possibly nominal) errors messages if master.passwd is missing.
78. # - syslogd doesn't like it if services is missing.
79. install-files:
80.     $(_v) $(INSTALL_FILE) -c -m 644 group        "$(Destination)/group"
81.     $(_v) $(INSTALL_FILE) -c -m 644 hosts        "$(Destination)/hosts"
82.     $(_v) $(INSTALL_FILE) -c -m 600 master.passwd    "$(Destination)/master.passwd"
83.     $(_v) $(INSTALL_FILE) -c -m 644 networks     "$(Destination)/networks"
84.     $(_v) $(INSTALL_FILE) -c -m 644 passwd       "$(Destination)/passwd"
85.     $(_v) $(INSTALL_FILE) -c -m 644 protocols    "$(Destination)/protocols"
86.     $(_v) $(INSTALL_FILE) -c -m 644 rpc      "$(Destination)/rpc"
87.     $(_v) $(INSTALL_FILE) -c -m 644 services     "$(Destination)/services"
88.  
89. +++++++++++++++++++++++++++++++++++++++++++
90.  
91.  
92. The sandbox
93.  
94. bsd.sb   [plain text]
95. ;;
96. ;; common rules for various BSD daemons
97. ;; Copyright (c) 2007 Apple Inc.  All Rights reserved.
98. ;;
99. ;; WARNING: The sandbox rules in this file currently constitute
100. ;; Apple System Private Interface and are subject to change at any time and
101. ;; without notice. The contents of this file are also auto-generated and not
102. ;; user editable; it may be overwritten at any time.
103. ;;
104. (version 1)
105.  
106. (debug deny)
107.  
108. ;; allow processes to traverse symlinks
109. (allow file-read-metadata)
110.  
111. (allow file-read-data file-read-metadata
112.   (regex
113.     ; Allow reading system dylibs and frameworks
114.     #"^/usr/lib/.*\.dylib$"
115.     #"^/usr/lib/info/.*\.so$"
116.     #"^/System/"
117.     #"^/private/var/db/dyld/"
118.     #"^(/private)?/etc/hosts\.(allow|deny)$"
119.   ))
120.  
121. (allow file-read-data file-write-data
122.   (regex
123.     ; Allow files accessed by system dylibs and frameworks
124.     #"^/dev/null$"
125.     #"^(/private)?/var/run/syslog$"
126.     #"^/dev/u?random$"
127.     #"^/dev/autofs_nowait$"
128.     #"^/dev/dtracehelper$"
129.     #"/\.CFUserTextEncoding$"
130.     #"^(/private)?/etc/localtime$"
131.     #"^/usr/share/nls/"
132.     #"^/usr/share/zoneinfo/"
133.   ))
134.  
135. (allow file-ioctl
136.   (regex
137.     ; Allow access to dtracehelper by dyld
138.     #"^/dev/dtracehelper$"))
139.  
140. (allow mach-lookup
141.   (global-name "com.apple.bsd.dirhelper")
142.   (global-name "com.apple.system.DirectoryService.libinfo_v1")
143.   (global-name "com.apple.system.DirectoryService.membership_v1")
144.   (global-name "com.apple.system.logger")
145.   (global-name "com.apple.system.notification_center"))
146.  
147. (allow ipc-posix-shm) ; Libnotify
148.  
149. (allow sysctl-read)
150.  
151. (allow signal (target self))