Question about the kexts

how did they get installed with root:wheel permissions without asking for authorization?

 

They're inside of the application wrapper in /Applications/Parallels.app. They're then started by a StartupItem that goes in /Library/StartupItems. Since an admin user has permission to both place items in /Library/StartupItems and /Applications, no authorization is needed. Also, the owner and group are irrelevant.

While it can be argued[1] (incorrectly) that this might reveal a general (but very minor) security issue with Mac OS X, this is NOT the fault of Parallels, and Parallels isn't doing anything wrong.

Items, including kexts, can have any permissions and user/group, and StartupItems can be placed in the appropriate location by an installer. This isn't incorrect behavior, and explicit user action - indeed, running an installer - is required to install Parallels.

[1] Some are saying this is the equivalent of installing a "rootkit". Um, no. FIrst of all, a "rootkit", by definition, has to installed without your knowledge. Second, a rootkit is generally malicious. Parallels meets neither of these criteria. An application installed using the Apple Installer by an admin user does not have to prompt for authorization for anything Parallels installs (FYI, it does prompt for a non-admin user, because it has to). It's the Apple Installer itself that is enforcing the authorization principles. Also, everything installed is logged to /Library/Receipts.

 

The /Library/StartupItems folder has permissions of 755 root:wheel as does
/Library/StartupItem/Parallels so if it does not ask for permission how does it create this startup item?

I am an admin user and I cannot make a directory or even change into the StartupItems folder without sudo...

Im not worrried yet, just curious...

 

Startup Items are run as root.

 

The question is how does Parallels install the StartupItem when it never asks for a password?
The permissions do not allow this...

 

The *Apple Installer* is allowed to do this.

Running an installer implies explicit user permission.

If anything, it's not "how does Parallels do this", it's "how does the Apple Installer do this", since that's the installation method Parallels is using. And the answer is that the Apple Installer does this because it allows admin users to install StartupItems when an installer is explicitly run.

No doubt people will argue this represents a security hole akin to the previous StartupItems hole, but it's really all about a matter of degree. The issue before was that things could potentially be placed in /Library/StartupItems via another vector (without any deliberate interaction from the user) and become root on the next restart. In this case, the user is actively *running an installer*, and Installer still allows the installation of StartupItems by admin users.

 

OK thanks, Im just trying to get a better idea of what is happening... Not trying to imply that Parallels is doing anything wrong.

 

Thanks for the info

Thanks from me as well, I was mostly curious as to how they did it.