Posted December 21, 2017
high rated
I was surprised when GOG installer asked for Admin password on macOS so I've started digging what is going on under the hood. And found this:
./galaxy_client_1.2.31.8.pkg/galaxyClientFirst.pkg/Scripts/postinstall
function SetPermissions()
{
echo "[5] Setting permissions"
sudo chown -R "$USER" "/Applications/GOG Galaxy.app"
sudo chmod -R 777 "/Applications/GOG Galaxy.app"
chmod -R 777 "${GALAXY_SHARED_PATH}"
xattr -d com.apple.quarantine "/Applications/GOG Galaxy.app"
}
You are setting EVERY app file as executable (why?) and WRITABLE for everyone? So for example guest user can inject any malicious script he wants as "/Applications/GOG\ Galaxy.app/Contents/MacOS/GOG\ Galaxy" and he will get full control over my account whenever I try to run GOG Galaxy? But it gets worse:
./galaxy_client_1.2.31.8.pkg/galaxyClientFirst.pkg/Scripts/GalaxyRedists.pkg/galaxyRedistsFirst.pkg/Scripts/po stinstall
function InstallService()
{
echo "[4] Register service"
sudo -u "$USER" launchctl load -w "${GALAXY_COMMSERVICE_PATH}"
...
}
function SetPermissions()
{
chown -R "$USER":staff "${GALAXY_REDISTS_PATH}"
chown -R "$USER":staff "${GALAXY_SHARED_PATH}"
chmod -R 777 "${GALAXY_REDISTS_PATH}"
chmod -R 777 "${GALAXY_SHARED_PATH}"
chmod -R 777 "${GOG_COM_PATH}"
}
I do not even have to run application, because any user can freely modify file "/Users/Shared/GOG.com/Galaxy/redists/GalaxyCommunication" which is automatically run as "/Library/LaunchAgents/com.gog.galaxy.commservice.plist" service under my $USER in admin group.
Those are CRITICAL security issues!
Please, fix this installer ASAP.
Stop polluting system space and require Admin privileges.
Allow installation in user directory.
Install all required services in ~/Library/LaunchAgents for every user independently.
Give an option to opt-out from GalaxyUpdater process if GOG is installed outside user directory (for example in /Applications) so it won't spam non-admin users for admin password.
Thanks.
./galaxy_client_1.2.31.8.pkg/galaxyClientFirst.pkg/Scripts/postinstall
function SetPermissions()
{
echo "[5] Setting permissions"
sudo chown -R "$USER" "/Applications/GOG Galaxy.app"
sudo chmod -R 777 "/Applications/GOG Galaxy.app"
chmod -R 777 "${GALAXY_SHARED_PATH}"
xattr -d com.apple.quarantine "/Applications/GOG Galaxy.app"
}
You are setting EVERY app file as executable (why?) and WRITABLE for everyone? So for example guest user can inject any malicious script he wants as "/Applications/GOG\ Galaxy.app/Contents/MacOS/GOG\ Galaxy" and he will get full control over my account whenever I try to run GOG Galaxy? But it gets worse:
./galaxy_client_1.2.31.8.pkg/galaxyClientFirst.pkg/Scripts/GalaxyRedists.pkg/galaxyRedistsFirst.pkg/Scripts/po stinstall
function InstallService()
{
echo "[4] Register service"
sudo -u "$USER" launchctl load -w "${GALAXY_COMMSERVICE_PATH}"
...
}
function SetPermissions()
{
chown -R "$USER":staff "${GALAXY_REDISTS_PATH}"
chown -R "$USER":staff "${GALAXY_SHARED_PATH}"
chmod -R 777 "${GALAXY_REDISTS_PATH}"
chmod -R 777 "${GALAXY_SHARED_PATH}"
chmod -R 777 "${GOG_COM_PATH}"
}
I do not even have to run application, because any user can freely modify file "/Users/Shared/GOG.com/Galaxy/redists/GalaxyCommunication" which is automatically run as "/Library/LaunchAgents/com.gog.galaxy.commservice.plist" service under my $USER in admin group.
Those are CRITICAL security issues!
Please, fix this installer ASAP.
Stop polluting system space and require Admin privileges.
Allow installation in user directory.
Install all required services in ~/Library/LaunchAgents for every user independently.
Give an option to opt-out from GalaxyUpdater process if GOG is installed outside user directory (for example in /Applications) so it won't spam non-admin users for admin password.
Thanks.