Help

Self Service ownership is UID 501

ctangora
Contributor III

Posted on ‎01-09-2013 05:48 AM

Hello All,

This seems to me like a small issue, but wanted to throw it out there before I sent it in as a feature request.

The Self-Service (8.61) seems to be installed with UID501 as owner. This was tested on a 10.8.2 machine that was added to the JSS through the Casper Imaging process.

The reason this concerns me is that we don't have a user 501 on the machine by default, so if someone creates a local user they will get ownership of the Self Service application. Seems like a security whole to me. Maybe it isn't.

Anyway. Does anyone else think the ownership should be assigned to the managed account or root?

Chris

0 Kudos
Reply
5 REPLIES 5

ernstcs
Contributor III

Posted on ‎01-09-2013 06:18 AM

Chris,

I see the same thing and I agree with you that it should not be 501, it should be set as root to follow the ownership of the Application folder itself. I would go as far as calling this a defect, and it should be emailed to support.

I've never really looked into how the binary pulls down Self Service on its own, but perhaps if it is grabbing a DMG or APP bundle, the permissions were never corrected on the JAMF side before being put into the installer?

Edit: Same on 8.6.2

Craig E

0 Kudos
Reply

jarednichols
Honored Contributor

Posted on ‎01-09-2013 06:45 AM

Huh. That's interesting. I never noticed this but I've got that as well. The only local user I have on my box are sub-500 UID users (including the Casper Admin account). Everyone logs in with AD.

Personally, I think ownership should be root:wheel like all other system software.

0 Kudos
Reply

mm2270
Legendary Contributor III

Posted on ‎01-09-2013 07:15 AM

Wow, that is odd. I'm getting the same here. JSS 8.6. I wonder how manny versions its been like that? It might not be a security hole, but it definitely seems like a defect to me. All apps in /Applications should be set to root:wheel in my opinion, unless its something I specifically installed as an admin.

0 Kudos
Reply

ryanwelch
New Contributor II

Posted on ‎11-20-2018 10:08 AM

This is still an issue with macOS 10.12.6 and JAMF Pro 10.8.

Our students are created using a Prestage enrollment. Their standard user account is UID 501, and becomes the owner of Self Service.app.

0 Kudos
Reply

ryanwelch
New Contributor II

Posted on ‎11-20-2018 10:49 AM

Also, I've created a feature request for it here:
https://www.jamf.com/jamf-nation/feature-requests/8114/fix-self-service-onwership-security-issue

0 Kudos
Reply