Text Size

MYOB 3 security issue relating to permissions

updated 03:55 pm EST, Wed January 22, 2003

A reader notes a security issue with relating to permissions. "I've had an ongoing discussion with the tech support about permissions required to run the program. What it boils down to is this, the normal user of the program is required to have access permissions, rwx, to the MYOB applications directory..."

This is done since a temporary spool file is created here for viewing reports. I suggested that a better place for this file would be where the user has normal access. E.g. Where the data file is stored in a non-networked case, since the user needs rw permissions here anyways. In a network case, the file could be in the users home directory. (The user has to run the application off of their local machine).



Otherwise this leaves that directory (in my case the /Applications) open for
that user, or depending how the groups are setup - any user, to erase the
application, install a trojan, or any other program into a location where
everyone assumes only the admin has put programs.



They probably think I'm paranoid. To use an old cliché, an ounce of
prevention is worth a pound of cure.

 
Previous Comments

Ummm

01/22, 04:44pm reply

Could it be handled a lot simply by putting MYOB in a sub-folder, and giving access to only that? Cures half the ills at least. Second step, specifically then change the permissions on the application file to not allow it to be replaced by users of that group (what, r-x?).

MacNN.com Reader

Fresh-Faced Recruit

Joined: Jul 2001

0

Stupid like Quicken 2003

01/22, 07:15pm reply

Quicken 2003 also proposes to create it's data file in the Applications folder. How stupid. The programmers need to get their mindset around the fact that the Applications folder is read-only for anyone except someone with Admin proviliges. User files go in their "Documents" folder. Duh!

MacNN.com Reader

Fresh-Faced Recruit

Joined: Jul 2001

0

Cheap OS 9 port anyone?

01/22, 07:20pm reply

Cheap, cheap, cheap, cheap, cheap.

MacNN.com Reader

Fresh-Faced Recruit

Joined: Jul 2001

0

Re: Like Quicken 2003

01/22, 10:50pm reply

I never understood the 'suggestion' to store your data file with the app (I guess it makes it easy for them to upgrade the file every year they update Quicken with a new whiz-bang feature - yeah, that's sarcastic). I've never stored it there, though, and at least its not required. However, they do require access to the directory to store (a) the Quicken Quotes file, and (b) store the backups of your quicken files. You really think they'd learn something. I'm sure on Windows they probably don't require such garbage.

MacNN.com Reader

Fresh-Faced Recruit

Joined: Jul 2001

0

Library Preferencces

01/23, 09:20am reply

Most of the "spool" type files, or "cache" type files in OSX are temporarily stored in the users home directory Library folder or in a sub folder within Library.

I would call the MYOB problem an issue of a classic application being carbonized without addressing how certian things work within OSX. They should IMMEDIATELY correct this and issue a minor revision update.

MacNN.com Reader

Fresh-Faced Recruit

Joined: Jul 2001

0

Popular News