Mimsy Were the Borogoves

Hacks: Articles about programming in Python, Perl, PHP, and whatever else I happen to feel like hacking at.

Mac OS X Server and pmget

Jerry Stratton, December 28, 2005

In iTunes Sleeper, I wrote that pmget might be used by unprivileged accounts to put your computer to sleep, resulting in a denial-of-service attack if an unprivileged account is hacked.

I’ve done some further testing on Mac OS X Server 10.4.3. As opposed to Mac OS X Client 10.4.3, the server version does not appear to respond to pmget at all from an unprivileged account. Since most servers that have lots of unprivileged users will be Mac OS X Server, pmget does not appear to be a major flaw.

By default, Mac OS X Server is not set to go to full sleep, nor is it set to sleep the disks, so that may be part of the reason it doesn’t affect Server. But Mac OS X Server does not appear to even pay attention to pmget forcing a displaysleep change: by default, the display is set to sleep after 30 minutes, and a “pmset force -c displaysleep 2” from an unprivileged account does not change this.

In fact, it appears that “pmset force” does not apply even from a privileged account. It does apply (to displaysleep, but not to sleep) when using sudo.

Mac OS X Client tests were performed on a June 2005 iMac G5; Mac OS X Server tests were performed on an older grey G4 tower.

In response to A simple iTunes sleep timer: If you enjoy listening to music for a while before you go to sleep, but don’t want to have iTunes on all night, you can use AppleScript to make iTunes and your Mac do what you want it to do.