Posted on 03/06/2006 10:47:30 AM PST by ShadowAce
Why not? With its Unixy underpinnings, someone might think to use it in the role of a traditional multiuser timesharing system. Obviously, that's worth reconsidering at the very least, given that there appear to be holes in local account security that are known to blackhats. What's wrong with allowing that maybe, just maybe, OS X is not suitable for that role? It's not like that's the target market for Apple anyway, so they're hardly going to be losing much business as a result.
Wouldn't you agree that it's better to test a server role using the actual server version of an operating system?
What's wrong with allowing that maybe, just maybe, OS X is not suitable for that role?
It's as suitable as any other OS in its market. They ALL have had privilege elevation exploits.
It's not like that's the target market for Apple anyway
Sure. Lemme get out my copy of FreeBSD Server Edition (TM), rather than Desktop Edition (TM)...err, wait. There isn't any such thing.
I can sort of understand segmenting your clientele based on the number of concurrent connections, or the number of processors, or some such. I'm not so sure segmenting based on security is such a hot idea. Unless you're suggesting something other than that OS X server is more secure than the desktop version.
It's as suitable as any other OS in its market. They ALL have had privilege elevation exploits.
Which one do we know for a fact has unpublished, unpatched exploits TODAY?
Not for FreeBSD, but there is for OS X. Since we don't know the exact exploit used, we don't know if it works on Server too. This isn't as big as the difference between NT4 (server) and Windows 98 (client), but it's bigger than the difference between NT 3.51 Server and Workstation (the only difference there being registry entries that restricted Workstation, Microsoft made it a bit harder for NT 4 but it's still doable).
Face it, all OSs are a race against hackers. At any one time, any OS will have known and unknown vulnerabilities, patched and unpatched. What matters is the reaction time to fix once notified and the number/severity of the vulnerabilities for the roles you're using. Anything else is just playing games.
I agree
I own a MAC and Several PC's....SSH isn't normally left open....for GAWD sake...and I would never set any machine as a server....
The article is out to lunch....and not real world!
Learn to read. We don't know the exploit. An exploit could be as serious as a flaw in core OS components used by both client and server, or as simple as a difference in the default configuration between the two. From the article, it sounds like he used a buffer overflow exploit. Because he had shell access, he could have attacked any number of software packages on the system (made by Apple or third parties, although Apple is in the end responsible for the security of third-party apps it ships with OS X). Some that may or may have not been present in Server in various states of configuration (an iPhoto exploit wouldn't have done any good on Server), or part of a different security rollup that would have included the appropriate patch. We just don't know.
FYI, there are numerous code changes between client and server, but the biggest difference is the huge package of management and configuration software that ships with the server. That's software the helps you put a server on the Internet without screwing things up, things that can lead to a compromised machines.
But none of that is meant to say that Apple shouldn't start really being on guard security-wise as its OS is starting to get on the radar.
OTOH, Apple had a much smaller marketshare during OS 8/9, and there were over a hundred exploits for those OSs.
Take your own advice - I didn't ask about the exploit, I asked about the difference between Server and desktop.
Until these questions are answered, I am going to throw this report in the trash.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.