The fix for day 5’s bug sadly can’t be affected through runtime patching alone. It requires changing the permissions on disk of a number of files and directories which are vulnerable to being edited by default. I’m providing scripts you can run in Terminal.app to change these permissions to safe values.
- bom-safety.py (sig) changes the permissions to safe values.
- bom-unsafety.py (sig) changes the permissions back to Apple’s original (unsafe) values.
You can run these scripts in Terminal.app as root using sudo:
sudo /usr/bin/python bom-safety.py
It’ll print a message when it is done or if it encounters a problem.
Finlay Dobbie pointed out that certain Apple installers like X11.app or XCode Tools may change these permissions back to vulnerable values again.
In order to re-run the bom-safety script you must rename the backup it creates at
- Set the sticky bit on /Library/Receipts
- Set the sticky bit on the paths down to each of the critical BOMs
- Unset the group-write bit on the critical BOMs
- Create root-owned 0-length place holders for critical BOMs/paths
that don’t exist
- Backup /Library/Receipts/BaseSystem.pkg/Contents/Archive.bom
- Make a 1-bit change to the
/Library/Receipts/BaseSystem.pkg/Contents/Archive.bom file that causes
repair permissions to keep the sticky bit set on /Library/Receipts
rather than removing it.
- Print a completed message
As always, you shouldn’t run code when you can’t understand it yourself, trust someone who understands it, or trust the author of the code. For those wondering if I actually wrote the code downloadable above I am providing GPG signatures above for your review. Ironically, the current available GnuPG for Mac has a code execution security hole since early December. I’m building new universal binaries of GPG now and will post them later today.