'08 iMac 2.66 GHz etc.

It is my practice after an update … to revert to Std Redmond Paranoia [think: l33T Survival Skillz.] Thus, I indeed RTFM, in this case, scan console and 'All' -- logs. Then I run disk util, merely to see how the Permissions have fared; usually a couple are off via a 'drwxr --> lrwxr' and like that trivial. Today it zipped through the Permissions; est "38 Min" anticipated time: actual more like 2. As usual too, no surprises; how unRedmond can you get?

This complaint though, I recall from earlier updates; figure I ought to find out whether it too is trivial. Or not:

"System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent" has been modified and will not be repaired
(Note above this msg.: "Falling back to default Mach exception handler")

Among comments Googled re this error line, this from Apple:
http://lists.apple.c...Jun/msg00033.html
But it's from 6-27-08. Still, these exchanges --

Hi,

I checked about ARDAgent exploit which is talked on Macshadows web site.

http://www.macshadow...=ARDAgent_exploit

I wonder about this exploit works on Leopard as that article says. It seems to be checked only on Tiger, 10.4.11.

It is true ARDAgent has set-uid bit of root. But ARDAgent does not run as root but nobody on Leopard.

------
xforce1:~ sadmin$ sw_vers
ProductName: Mac OS X Server
ProductVersion: 10.5.3
BuildVersion: 9D34

xforce1:~ sadmin$ w
12:11 up 28 days, 17:12, 1 user, load averages: 0.03 0.03 0.00
USER TTY FROM LOGIN@ IDLE WHAT
sadmin s000 garuda.local 10:40 - w

xforce1:~ sadmin$ ps aux|grep ARDA |grep -v grep
nobody 4200 0.0 0.1 89252 2292 ?? S 10:41AM 0:00.04 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/ Contents/MacOS/ARDAgent -psn_0_1642897
nobody 65783 0.0 0.1 94456 3688 ?? Ss Mon03PM 0:34.04 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/ Contents/MacOS/ARDAgent

xforce1:~ sadmin$ osascript -e 'tell application "ARDAgent" to do shell script "id"'
_RegisterApplication(), FAILED TO establish the default connection to the WindowServer, _CGSDefaultConnection() is NULL.
31:51: execution error: ARDAgent got an error: "id" doesn’t understand the do shell script message. (-1708)
-----

As you know, on Leopard, ARDAgent runs as nobody or as current user of console. Who logs in as root?
And there is restriction it cause execution error.

That article says the exploit effects both Tiger and Leopard. My understanding is there is vulnerability of ARDAgent on Tiger or earlier but not Leopard. Is this correct understanding or big miss- understanding?

Any suggestions, opinions and advice would be appreciated.

Thanks,


-takanori

Presumably Snow-L has benefitted from all the above concerns, since.
Point is, while I have no intention of enabling RemoteManagement -- isn't this ARDAgent in the area you'd expect to just maybe.. give a hint of pwned-ership?

Firewall log is replete with usual chatter, of course. But does there exist any handy utility for occasional use -- which is worth running / can at least indicate that there is cause for a more elaborate investigation?
I have no router/firewall yet as I've not found a single router model which installs on OS X without what appears to be an inordinate amount of CL massaging (nor even cookbook procedure for such; hell, I can type commands too.) I still don't do networks as the devil IS in the one detail missed. I want autoconfig and I'll tell it the ISP numbers.

Have considered my neighbor's paranoid solution after her neophyte trip through WiFi attaching to local school and not her ISP. Etc.: Net Barrier. Software, yes, thus $$ but so is OS X's apparently decent app. Maybe Net Barrier is superfluous? There WILL be 'sploits as Apple share rises.
I can feel it.. I can feel it.. (Only 1 Brownie point for source.)

Near end of the Update chatter (none with * on a quick perusal:)
"Could not find: com.apple.ReportCrash.Self"

Wtf is KARSTEN doing inside my Apple?
(Clearly the crash-save process works; on the few Leopard crashes all the data was there for ship --> Cupertino.)

I do grok the point made by Peter et al, that preoccupation with 'Permissions' is the hobby of the angst-ridden; I look now only after an Update because so many files are massaged. I ain't got no steenkin Angst, I'm just lazy == don't want to Fix things; I want them to stay unbroke.

Thanks for any tips beyond.. there, there, don't worry pretty-little head; OS X is T(o)uring Complete.
If this iMac catches fire tomorrow, it has had a bitchin first year free of all Redmond infuriating cutesy-pie-speak obfuscation.

SInce Apple's annotations are surprisingly legible in most log entries -- a phrase like has been modified and will not be repaired ... is ominous, maybe for being unnecessarily terse. / what 'modified' it? Etc.

The support.apple blurb pretty much covers most permission changes (!) but fails to elaborate on the "will not be repaired" phrase. Don't you fix things that are Broken? (Cry Wolf..?) How about, instead: "__ has been (intentionally?) modified and will not be restored to default." [??]
I mean, I Expect Apple to employ the highest standards of English, all the better to shame that other toy OS.
<that's a joke, Son -- clearly those other folk are shameless.>

Dunno why that support. one didn't hit my sieve. Have to enroll in remedial-Google.

Per your suggestion, I shall return to worrying about things I can do something about ...
pets summarily abandoned (sometimes in outright cruel fashion) by the truly shameless of my fellow Muricans.

(Am discovering that there are now many folks doing efficient pro bono work to alleviate what is an epidemic.) As we might well expect; exacerbated by all the burst bubbles and the ongoing criminal machinations of the Finance-Industrial Complex. It's not just bipeds they screw over.

Thanks again for making it all well.