Safe Terminal

Version 0.3

alert

What is Safe Terminal?

Safe Terminal fixes a security weakness with Mac OS X Terminal utility, when it execute shell scripts without the user confirmation.

If Safari "Open safe files after download" is enabled, its possible to create malicious shell scripts that will be executed by the Terminal automatically after you download them. It is also possible to create malicious shell scripts that look like a document or a folder, that will be executed by Terminal on double click without warning.

After Safe Terminal is installed, the Terminal utility will show an alert before executing a shell script, allowing the user to confirm or cancel. The usage of the Terminal to type and run commands is not effected in any way.

What's new in this version

Install

  1. Log in as an administrator.
  2. Copy the folder named "Safe Terminal" in the disk image into InputManagers folder inside the Library folder in the volume Mac OS X is installed. If the InputManagers folder does not exists, create it.
  3. If the Terminal is running, restart it.

If you are not allowed to administer this computer, or want to install only for your account, you may install into the InputManagers folder inside the Library folder inside your home folder.

To verify the installation, double click the file named "test.command" in the disk image. A warning dialog will ask you "Are you sure you want to execute test.command?". Click Cancel or press the Escape key to cancel. Without Safe Terminal a new shell window will open, and the script will execute.

Uninstall

  1. If you installed as administrator, you have to login as one.
  2. Delete Safe Terminal folder from the InputManagers folder.
  3. If the Terminal is running, restart it.

Known Issues

Other risks

The Safari and Mail shell script execution vulnerability is related to an error in handling of file association by system component called LaunchServices. This error is not fixed by Safe Terminal. It may be possible to attack your computer in other ways, not using shell scripts, exploiting this error.

Until this error is fixed by Apple, do not use the "Open safe files after download" option in Safari. As a general rule, avoid opening files originating from untrusted sources.

Links

Legal

Copyright © 2006 Nir Soffer

License: GNU General Public License, see COPYING