undefined | Better HN

0 pointsjzwinck8y ago0 comments

It requires the attacker to be able to type a few characters into a logged in session. If the session is not an administrative one, it's not fair to say all bets were off.

If I give you a Mac logged in with an unprivileged account and you can use only the keyboard and mouse to gain root access, the security has failed.

I think you've conflated this with the attacker having (full) physical access to the machine, which conventionally means access to its ports and perhaps a screwdriver. This is not that.

0 comments

senko8y ago

Fair point, if that works with a guest account.

I was thinking along the lines of, if I have write access to your .bashrc (or a multitude of other config files that you as an unprivileged user have write access to, and can be used to trick you later into running code of my choosing), all bets are off.

j / k navigate · click thread line to collapse

0 pointsjzwinck8y ago0 comments

It requires the attacker to be able to type a few characters into a logged in session. If the session is not an administrative one, it's not fair to say all bets were off.

If I give you a Mac logged in with an unprivileged account and you can use only the keyboard and mouse to gain root access, the security has failed.

I think you've conflated this with the attacker having (full) physical access to the machine, which conventionally means access to its ports and perhaps a screwdriver. This is not that.

0 comments

senko8y ago

Fair point, if that works with a guest account.

j / k navigate · click thread line to collapse