Text Size
MYOB 3 security issue relating to permissions
updated 03:55 pm EST, Wed January 22, 2003
A reader notes a security issue with relating to permissions. "I've had an ongoing discussion with the tech support about permissions required to run the program. What it boils down to is this, the normal user of the program is required to have access permissions, rwx, to the MYOB applications directory..."
This is done since a temporary spool file is created here for viewing reports. I suggested that a better place for this file would be where the user has normal access. E.g. Where the data file is stored in a non-networked case, since the user needs rw permissions here anyways. In a network case, the file could be in the users home directory. (The user has to run the application off of their local machine).
Otherwise this leaves that directory (in my case the /Applications) open for
that user, or depending how the groups are setup - any user, to erase the
application, install a trojan, or any other program into a location where
everyone assumes only the admin has put programs.
They probably think I'm paranoid. To use an old cliché, an ounce of
prevention is worth a pound of cure.
Ummm
01/22, 04:44pm reply
Could it be handled a lot simply by putting MYOB in a sub-folder, and giving access to only that? Cures half the ills at least. Second step, specifically then change the permissions on the application file to not allow it to be replaced by users of that group (what, r-x?).
MacNN.com Reader
Fresh-Faced Recruit
Joined: Jul 2001
Stupid like Quicken 2003
01/22, 07:15pm reply
Quicken 2003 also proposes to create it's data file in the Applications folder. How stupid. The programmers need to get their mindset around the fact that the Applications folder is read-only for anyone except someone with Admin proviliges. User files go in their "Documents" folder. Duh!
MacNN.com Reader
Fresh-Faced Recruit
Joined: Jul 2001
Cheap OS 9 port anyone?
01/22, 07:20pm reply
Cheap, cheap, cheap, cheap, cheap.
MacNN.com Reader
Fresh-Faced Recruit
Joined: Jul 2001
Re: Like Quicken 2003
01/22, 10:50pm reply
I never understood the 'suggestion' to store your data file with the app (I guess it makes it easy for them to upgrade the file every year they update Quicken with a new whiz-bang feature - yeah, that's sarcastic). I've never stored it there, though, and at least its not required. However, they do require access to the directory to store (a) the Quicken Quotes file, and (b) store the backups of your quicken files. You really think they'd learn something. I'm sure on Windows they probably don't require such garbage.
MacNN.com Reader
Fresh-Faced Recruit
Joined: Jul 2001
Library Preferencces
01/23, 09:20am reply
Most of the "spool" type files, or "cache" type files in OSX are temporarily stored in the users home directory Library folder or in a sub folder within Library.
I would call the MYOB problem an issue of a classic application being carbonized without addressing how certian things work within OSX. They should IMMEDIATELY correct this and issue a minor revision update.
MacNN.com Reader
Fresh-Faced Recruit
Joined: Jul 2001