Followup: Mac OS X ARDAgent vulnerability advice

Various parties in the Mac community have weighed in and suggested the best way to address the issue highlighted in last week’s advisory regarding an escalation of privilege vulnerability in ARDAgent. While some have suggested that enabling the remote access service may actually correct the privilege escalation, there’s been enough evidence that it doesn’t really work. And a suggestion to clear the setuid bit that allows ARDAgent to act as root appears to kill it, for at least some commentators. That leaves only leave two options:

  1. If you don’t need to have anyone remotely manage your application, just delete or archive ARDAgent.app.
  2. Restrict ARDAgent from being able to perform do shell script (as described in Martin Kou’s blog)

It would be nice if Apple just closed the hole, wouldn’t it?

While you’re at it, don’t forget to update Ruby (it’s part of the default Mac OS X installation), if you’re using it, to close a whole bunch of holes–from numeric errors to buffer overflows–in the core Ruby runtime.

And can we stop pretending that the Mac OS X platform is magically secure?

Integrating Rally with Trac

My company uses Trac as a ticketing engine and wiki and Rally for requirements management. We’ve been investigating ways to combine the two. (Of course, Rally has its own defect tracking system, but Trac is pretty well entrenched and integrates with our source repository.)

Rally provides a pretty well defined REST-based API, and much of their integrations are built using the RallyRESTAPI Ruby gem. So I went hunting for something comparable for the Trac side. It looks like Rtrac might be the way to go. One challenge is that the Rtrac documentation is scanty and it’s not clear how one might do an arbitrary ticket query (say, all tickets saved since a certain date). But we should be able to use some of the existing Rally integration examples to proceed.