Mac OS X 10.1.4: Security Analysis and Recommendations

Mac OS X's core is based on BSD UNIX and, therefore, Mac OS X inherits the UNIX legacy and its security strengths and weaknesses. Apple deserves credit for making their product fairly secure out-of-the-box. All services served by the Internet superserver are disabled by default. To my knowledge, Mac OS X is the first commercial version of UNIX that ships with important third party security tools like TCP wrappers, OpenSSH, and the packet-filtering IP firewall. Mac OS X also provides the ability to notify users when system updates are available. Apple's latest OS lags behind other BSD distributions, though, with regards to some security measures. The operating system lacks any method to hide password hashes from unprivileged users, has insignificant password strength requirements, and lacks the ability to use a password hash algorithm other than DES. Some programs unnecessarily have set-UID and set-GID bits set and this also poses potential problems. This paper is an introduction to the security implications of Apple's latest offering (Mac OS X 10.1.4 at the time of this writing), providing particular focus on NetInfo, Mac OS X's directory system, and is intended to be a starting point for your own research.