While doing some tests for indexing a database, I noticed a massive security problem:
At least on ExFat file systems, the permissions for new files look like this:
tja@mini:~$ mount | grep USBA
/dev/disk7s1 on /Volumes/USBA (exfat, local, nodev, nosuid, noowners)
tja@mini:/Volumes/USBA$ touch TESTFILE
tja@mini:/Volumes/USBA$ ls TESTFILE
-rwxrwxrwx 1 tja staff 0 Dec 23 17:37 TESTFILE
tja@mini:/Volumes/USBA$ umask
0022
From the command line, all permissions are set, despite the umask!
And now the problem:
DEVONthink just executes any file that has executable rights (“x”) set!
Here, the file has the name “NEW”:
Example, this is a text file with the line “i am new” … nothing else.
But a double-click on this file will open a shell that executes the content:
Last login: Thu Dec 23 17:27:35 on ttys002
The default interactive shell is now zsh.
To update your account to use zsh, please run `chsh -s /bin/zsh`.
For more details, please visit https://support.apple.com/kb/HT208050.
/Volumes/SDCARD/TESTDIR/test_a/NEW ; exit;
(base) tja@mini:~$ /Volumes/SDCARD/TESTDIR/test_a/NEW ; exit;
/Volumes/SDCARD/TESTDIR/test_a/NEW: line 1: i: command not found
logout
Saving session...
...copying shared history...
...saving history...truncating history files...
...completed.
[Process completed]
That means, that at any time, a double-click on an item may run arbitrary commands!
This is sure not what is expected here!
The default option for a file should maybe be an edtior or preview, but sure not the execution!
Are there already any options to prevent this behavior, @BLUEFROG ?
If not, I would strongly ask for something that prevents this!