On Nov 15, 2007, at 3:51 PM, Dave Schroeder wrote:

>> P.S. Application Layer Firewall, AFAIK, doesn't filter out programs
>> running with superuser privileges. That calls for trouble.
>
> Apple describes all of this very explicitly here:
>
> http://docs.info.apple.com/article.html?artnum=306938
>
> The 10.5.0 Application Firewall blocked all but:
>
> ? Processes that are running as UID 0
> ? mDNSResponder
>
> The 10.5.1 Application Firewall blocks all but:
>
> ? configd, which implements DHCP and other network configuration
> services
> ? mDNSResponder, which implements Bonjour
> ? racoon, which implements IPSec
>
> So, while I haven't tested yet, it does NOT appear to allow all UID
> 0 processes, but rather only the above processes. If this is
> accurate, that concern is now moot.

And from <http://docs.info.apple.com/article.html?artnum=307004>:

> CVE-ID: CVE-2007-4703
>
> Available for: Mac OS X v10.5, Mac OS X Server v10.5
>
> Impact: Processes running as user "root" (UID 0) cannot be blocked
> when the firewall is set to "Set access for specific services and
> applications"
>
> Description: The "Set access for specific services and applications"
> setting for the Application Firewall allows any process running as
> user "root" (UID 0) to receive incoming connections, even if its
> executable is specifically added to the list of programs and its
> entry in the list is marked as "Block incoming connections". This
> could result in the unexpected exposure of network services. This
> update corrects the issue so that any executable so marked is
> blocked. This issue does not affect systems prior to Mac OS X v10.5.

Based on this, and the updates to <http://docs.info.apple.com/article.html?artnum=306938
> described in my last message, I'd say that several major issues
with the Application Firewall have been addressed. Namely, the
assertion that "Block all incoming connections" is misleading, and
always allowing access to all UID 0 applications, regardless of
explicit settings.

A lot of people weren't upset that Apple was making a judgment to
still allow things like, e.g., Bonjour, but that "Block all incoming
connections" didn't do just that. So they've tightened up the
implementation and clarified the user interface. And, "ipfw technology
is still accessible [...] and the Application Firewall does not
overrule rules set with ipfw; if ipfw blocks an incoming packet, the
Application Firewall will not process it."

- Dave0? *?H?÷

 ?0?

10 +0? *?H?÷


 ?>0?ô0?] 
DM0
 *?H?÷


0S10 UUS10U
Equifax Secure Inc.1&0$UEquifax Secure eBusiness CA-10
050829160720Z
150829160720Z0?10 UUS1+0)U
"Division of Information Technology1#0!UFaculty - Staff - Students1(0&UUniversity of Wisconsin-Madison0?0
 *?H?÷



0?èHQÜ%wË ktëùNßM}V?ïȶÂ#¹.³S*?¥I|R±%ö3?~?cëG:!+·Ä? ÇL$ò­©«
8)?¿.Æ01qL|?I?¿Öm²\×[¼'¯íG̪»´V ?ëùçe><|¯÷?°
æp;?Ã??

£?0?0U

ÿ
?0U?RRbG,k,
¸iñ©7,#$0U
#0?Jx2RÛY6^ßÁ6@jG|L¡0U

ÿ0

ÿ09U2000. , *?(http://cr
l.geotrust.com/crls/ebizca1.crl0
 *?H?÷


%ñDX3wç֍ת· ?7kæÞßµ±z°c_?+åLÓPpGOsÉ>ف¬ÐDÓ±Ü-++?ü}£Z??d£Áù'öTï¡*)ÿw~G²?¨ø
Oµö¬U~ºbSJh,óN¨GTaßs\ÇDØéR#êeb¨Åg0?B0?« 
?0
 *?H?÷


0?10 UUS1+0)U
"Division of Information Technology1#0!UFaculty - Staff - Students1(0&UUniversity of Wisconsin-Madison0
070724175606Z
080920175606Z0Ð10 UUS10U Wisconsin10UMadison1(0&U
University of Wisconsin-Madison1#0!UFaculty - Staff - Students10UToken -10UDavid Schroeder1 0 *?H?÷


das (at) doit.wisc (dot) edu0 [email concealed]?0
 *?H?÷



0????èöÆ?³G¡J[¨×
Qò?sJ?'Uî.øë
ÂC«ÓmÂ?5(¢?äðÛ¢1?Hµ8iä¬C°«é£ Ê¢4ÝsR|F?Sû?©¶2±ï?Æ?´zó?¬ÿPïí?ð?ÖÜ5àò?ݐ?ÕÍnæ?y
>ªÛ% ?ä¹

£p0n0U

ÿà0;U40200 . ,?*http://crl.geotrust.com/cr
ls/wisconsin.crl0U#0??RRbG,k,
¸iñ©7,#$0
 *?H?÷


ß¢úx IíN®?tý¼¬Åƪ¡q?Þ¦`,]H?)u?Há?tm³°é¥¾0ñÊOV6¾Ô?
&@v?@¯IÿßO=?~ÿuC"i?Â?N??0ÔÉ® G¥ªÙ»rs5ì#¯P?ÑËpÍX¯âô³©ÖÙ?Ðz?YuVC?ö?1?â0?Þ

00?10 UUS1+0)U
"Division of Information Technology1#0!UFaculty - Staff - Students1(0&UUniversity of Wisconsin-Madison?0 + ?
§0 *?H?÷

1 *?H?÷


0 *?H?÷

1
071115220536Z0# *?H?÷

1ã;]¾63FC#8gJÞvlû_"v0¡ +

?71?00?10 UUS1+0)U
"Division of Information Technology1#0!UFaculty - Staff - Students1(0&UUniversity of Wisconsin-Madison?0£*?H?÷

1? 0?10 UUS1+0)U
"Division of Information Technology1#0!UFaculty - Staff - Students1(0&UUniversity of Wisconsin-Madison?0
 *?H?÷



?BÝt?0Pã{?rh²j?ôxî7ç?\ºb?q?-~AÆ?ÝZª&T­?¢¼ZPû
4?TÉC0º^8?LAÛ7Úϼ&´¸;3?·­V裤1f*T©®ªù}o¿FX>É=U?ò7/¡S¥~÷±B¢&Òr~*?yo
º???ó

[ reply ]