Alert: Flash Player Installer Opens Up Root Home Folder

I updated the current installation of Adobe Flash Player at work today over ARD and had several people ask me odd questions about why there was a Finder window with the word root for a title when they came in to login this morning. Needless to say that raised warning bells all over the place for myself.

On checking the computers I noticed it occurred on every computer running Tiger and that every computer running Leopard did show the menu bar and said Finder was running but unlike Tiger it did not allow you to perform any actions beyond opening a menu. In Tiger you were essentially logged in as root into the Finder (and SystemUIServer) which gave you complete access to anything. The kicker is that the root user was not enabled on any of the computers.

Now in the big picture it’s mostly a non-issue because the following requirements have to be taken to see this edge case:

  1. The workstation must be running 10.4.0-10.4.11 (Flash Player 10 doesn’t run on Mac OS X older than 10.4)
  2. You must be using Apple Remote Desktop to install the package
  3. You must ensure that you choose not to restart the computers in question. By default the package wants to restart the computer if no one is logged in (I assume it is to avoid this very situation). If someone is logged in however it doesn’t request a restart. The kicker is that if you select a group of machines and send it to install and one of them has a logged in user by default it does not ask you to restart.

If you check on the workstation you will see a Finder window open to root’s home folder - even if you don’t have the root user enabled (which I am of the opinion you shouldn’t especially with sudo available). Anything then opened via the Finder then runs as root as well (including Terminal).

So it’s easy to work around - either restart them all, or do it when you have users logged in (not ideal). If you do choose the username for the action to be done in ARD; the Finder window will open up as that user (quite possibly a local administrator account) so filing in a username there is not a workaround but much less dangerous than root access. Once the computer is restarted or someone logs in the issue goes away.