Last night, while groggily honing in on the Office 2008 installer package UID problems, I missed another glaringly obvious defect: All the files are set executable, yes those files owned by 502 are also set executable. Take a look again at the lsbom dump you’ll see this everywhere: 100775. For the first two: the 10 means it’s a file, 40 is a directory. The last three (775) are significant: 7 is 4+2+1 (4:read, 2:write, 1:execute) and 5 is… that’s right: 4+1, read and execute privileges.
Now tell me does… /Microsoft Office 2008/Read Me.html
need to be executable for you to look at it? Tick, tick, tick, *ding*! No. It does not let’s do another!
Does this god awful GIF bullet? /Microsoft Office 2008/Office/Media/Clipart/Bullets.localized/Red Swirl
No. But it is.
Ok. One more: /Microsoft Office 2008/Office/Media/Sounds/Yeehaw
? Yeah, you’re getting it. No.
The only things that needs execute privileges are directories (that’s application bundles too) and executables such as: Microsoft Word.app/Contents/MacOS/Microsoft Word
And can you remove this execute bit in Finder? No. You have 3 choices, Read & Write, Read Only, and No Access, flip through them all and the x will still be there. You’ll need to chmod it from the terminal, but be careful, not all of them… or just give chmod -R ugo-x *
a whirl, then slowly go through and chmod go+x the executables one by one and see if it still works, might be faster than the inverse… but I haven’t tested anything yet, that’s for work tommorrow… and the next day… in the mean time…
Try this: ls -lFGR /Applications/Microsoft\ Office\ 2008
You’ll be seeing red. :D
BTW: Just in case, the media I am using is Part No: X13-64625-03, I hope MS can fix this and re-press this for Volume License customers — my day job! And speaking of just in case, thanks ‘justincase’ of the Clix forums for pointing out the glaringly obvious.
There are six octal digits in a file mode, not five. ’10’ is ‘regular file’. You mask the mode with octal 170000 to get the file type. The 4th from the right is indeed as you state for sticky, set UID, and set GID bits. And the rest of course is spot on. And thanks for bringing it to people’s attention. Cheers.
interesting finding… made me tried to solve the problem.
Step 1 – fix the ownership
$ sudo chown -R root:admin /Applications/Microsoft\ Office\ 2008/
Step 2: fix the executables file permission
$ sudo find /Applications/Microsoft\ Office\ 2008/ -type f -exec chmod 664 {} \;
$ sudo find /Applications/Microsoft\ Office\ 2008/ -type f | while read foo; do file “${foo}” | while read bar; do echo “${bar}” | awk -F: ‘/Mach-O/ {printf “chmod 775 “%s”\n”,$1}’; done; done | grep -v “for architecture” | sudo sh
Hope I didn’t miss something.. :-)
Well, Microsoft added an extra step on the ownership to remove the sticky and SetUID bits before they change ownership to root:
/usr/bin/sudo /bin/chmod -R a-st /Applications/Microsoft\ Office\ 2008 /Library/Automator /Library/Fonts/Microsoft /Library/Application\ Support/Microsoft
/usr/bin/sudo /usr/sbin/chown -h -R root:admin /Applications/Microsoft\ Office\ 2008 /Library/Automator /Library/Fonts/Microsoft /Library/Application\ Support/Microsoft
Full post at:
http://www.officeformac.com/blog/Security-issue-in-Mac-Office-2008-Installer
So now for your fixes, Jim, I reworked them a bit, didn’t need sudo’s to find the files, just to chmod them, also I went with xargs for speed, right Rick? :D (and does speed up the first)
Step 1: Knock all files down to rw-rw-r–
find /Applications/Microsoft\ Office\ 2008 -type f -print0 | xargs -n 1045 -0 /usr/bin/sudo chmod 664
find /Library/Application\ Support/Microsoft -type f -print0 | xargs -n 890 -0 /usr/bin/sudo chmod 664
# or just simply take away x for the fonts
sudo chmod a-x /Library/Fonts/Microsoft/*
#automator contains not Mach-O executables, only Applescripts that only require read access
find /Library/Automator -type f -print0 | xargs -n 1045 -0 /usr/bin/sudo chmod a-x
Note: -n 1045 is to prevent an error when sudo when it gets too many arguments, apparently xargs heaps them on a bit too much, longer paths means less arguments are able to be fit in
Step 2: Now find all files of Mach-O type and bump them back up to rwx-rwx-r-x
find /Applications/Microsoft\ Office\ 2008 -type f | while read foo; do file "${foo}" | while read bar; do echo "${bar}" | awk -F: '/Mach-O/ {print $1}' | grep -v "for arch"; done; done | xargs -I '{}' /usr/bin/sudo chmod a+x '{}'
find /Library/Application\ Support/Microsoft -type f | while read foo; do file "${foo}" | while read bar; do echo "${bar}" | awk -F: '/Mach-O/ {print $1}' | grep -v "for arch"; done; done | xargs -I '{}' /usr/bin/sudo chmod a+x '{}'
The second still takes a while with all the awk and file calls on each file… but what else are you gonna do? The awk filtering works well, though, I like that. Anyhoo, it does get the job done, thanks for the push Jim!
Although now that I think of it, why would one really want write access to an executable anyway? Apart from some self modifying code for copy protection ofrserialization, it’d seem that r-x is all you really need to run a program eh? So for the more paranoid:
Find all files of Mach-O type and chmod them to r-x-r-x-r-x
find /Applications/Microsoft\ Office\ 2008 -type f | while read foo; do file "${foo}" | while read bar; do echo "${bar}" | awk -F: '/Mach-O/ {print $1}'
| grep -v "for arch"; done; done | xargs -I '{}' /usr/bin/sudo chmod 555 '{}'
Although dang it if now I don’t realize that xargs is going line for line, because of awk, I’ve tried putting the grep before awk, and awking with \0 at the end and xargs with -0 but it fouls up… so #2 is still slow… perhaps a kindly hacker will show me my error, for now, it’s late! And it’s not my problem to fix anyway! ;)
Maybe I’m missing something, but… who cares? Why would a user care if all this stuff is executable? It’s not like the exe bit matters for the vast majority of purposes.
Yes no guarantees on xargs with awk. Awk awk! It’s valiant of you both to tackle this one but as Joel says: ‘it’s not his job!’ Cheers. ;)
PS. ‘Find all files of Mach-O type and chmod them to r-x-r-x-r-x’ – uh don’t you want ‘r-x-r-x—x’?
Oops – take that last bit back. I’m not used to working in rwx. Used to working in octal. Yes you want at least 5s all the way through and as most on the last one.
PPS. Isn’t it sweet to see M$ forced to do Unix? ;)
Ethan, you are missing something and many people do care. Do you care if your house is built on sand or rock? Do you label every bottle in your house from bleach to soda “Drink Me”? The engineers of Unix didn’t just make up the executable bit just for the fun of it, it’s about security. MS better be making sure they are making a secure product and not undermining basic file system security philosophies just because they haven’t used PackageMaker before.
“Do you label every bottle in your house from bleach to soda ‘Drink Me’?”
Bleach supposedly leaves a bad aftertaste; maybe Ethan could enlighten us on that part.
Can you confirm that in Font Book the font “Bauhaus 93” (installed by Office 2008 and also 2004 as I’ve seen in a store) is said to have small errors (‘kern’ structure or similar)?
Validate that font, I think it’s a bug of Font Book in Leopard, I don’t think it’s corrupted, I’ve also replaced it with a Bauhaus 93 from a friend of mine and displays the same error in Font Book validation…
All works fine (except Font Book I think ;-) ) .