Q: Security issue? Gaining root is ridiculously easy.

Tech198 wrote:

 

haha... u call that "easy" ?  I would have a hard time doing that syntax, and i like to know more than the normal user.

 

If i can't understand that, how do u expect a average user to know ? This is why Apple does things via Terminal

 

to prevent most users getting access, but its there it they need it..

 

I wouldn't call a "smart user" who can get "easily get root access" easy on the Mac ... Easy for you yes.. but hard for others.. if they must figure it out on themselves.

Perfectly fine that you couldn't do that as a regular user, don't get me wrong But I'm assuming you're not worried about just some other random person when we're talking about computer security, right? Fact of the matter is that I'm not a blackhat or something like that. I'm a web developer. Nothing fancy. And that snippet right there isn't even code, it's just a couple of commands. The point is that if you ran any program that I made — as yourself — and I had that snippet of code in there, I could do anything with your computer and all user accounts on it. If, of course, and that's the catch, you ever use apps that prompt for your password to do system-level stuff. I just confirmed that with the TrueCrypt app. I've made a mental note to see if something like a Java update's elevation prompt can be exploited as easily. I'm tempted to say I'd put money on that it will.

BobHarris wrote:

 

When you issued the 'sudo' command, in your terminal session, you started a 5 minute timer for your 'admin' account to be able to issue the 'sudo' command again without a password.

 

And when I say your 'admin' account, I mean every instance of your account.  So any other terminal sessions, your GUI login, etc... have 5 minutes to use the 'sudo' facilities without needing to specify a password.

 

And the first account created on your Mac is always an 'admin' account.

 

GUI applications running in your 'admin' account that need elevated privileges are using 'sudo' facilities under the covers.

 

So your Terminal session's use of 'sudo' enabled your GUI apps use of 'sudo' because it is all you.  And you are the 'admin'

 

If you wish the 'sudo' command to have a shorter timeout (not advised), you can change the /etc/sudoers file to include the 'passwd_timeout' parameter (see "man sudoers").  Note: mess up the /etc/sudoers file and you will not be able to get elevated privileges again, without restoring it, so be very careful about any changes you make to this file.

Hey I missed this reply

If this confirmation is in fact true (and I believe it is), then this is really, really bad. That means the defaults leave you wide open to having an app wait around to get root access to your box. I'll have to try a Linux box when I get home to see if it behaves similarly. From using Lubuntu earlier this week, I'm almost positive that consecutive sudos in one tab in lxterm used the auto-grant, while opening a new tab would require password on the first run. If it does behave like on OS X, I'll weep

It seems utterly insane to me not to restrict this five-minute "auto-grant" period to the process which triggered it. Or at least the app (which I actually thought sudo/OS X was doing before this). I mean, I realize that "convenience" is a pretty high priority with Apple, but this doesn't seem like a well thought through design.

BobHarris wrote:

 

...Once you do that, I can steal root privileges from my script running in Terminal in the background without providing the password

You did not steal anything.  You are within the sudo facilities 5 minute time out for all processes running as "You"

 

If you feel this is a serious problem (which to date has not been), then please tell Apple

BugReporter (Free ADC (Apple Developer Connection) account needed for BugReporter)

<http://bugreporter.apple.com>

Anyone can get a free ADC account at:

<https://developer.apple.com/register/index.action>

I'm sorry to be so blunt, but if you don't think this is a problem at all then I'm quite frankly shocked beyond belief.

Either way, I didn't actually intend for the question to be a debate about the ramifications of the issue so much as try to establish whether it actually was an issue that existed outside my (apparently not "technically" broken) install. Seems like it is

Well, thanks for chipping in! It was very helpful

Cheers,

Daniel

Király wrote:

 

The majority of people don't know how to do that, let alone why they might want to.

I do that, in fact Apple advises us to to exactly that. Running all the time as an admin user hands admin privileges to every app and process you run; privileges those apps don't need and shouldn't have.

 

I don't know that Apple advices us to do that, a quick Google search doesn't find anything immediately suggesting this. The knowledge base articles that do turn up, such as this one, all seem to mention that you shouldn't use auto-login for an administrator account, though, but that's far from that advice.

Even if they do advise using this setup somewhere, then how does that possibly make any difference when

1. You'd have to go look for this advice yourself
2. The setup wizard that runs on your Mac does not set this up, nor does it mention that you might want to

Why do you think you need to switch users? I do admin and root tasks from my non-admin account all the time simply by supplying the admin user's username and password when prompted. No switching to the admin account is necessary. It's probably been at least a year since I actually logged in to the admin account.

 

Well, for me, I the shell more than I use the GUI. I do tons of stuff that needs root access, and having to do that by first su'ing to my administrator user and then sudo'ing on from there would just plain suck. Then there's the issue of file permissions while I'd be shelling as either daniel:staff or standarddaniel:whatevergroupthatwouldbe. Neither would be able to mess with each other's files, so combining coding in the GUI as the standard user with having to be the admin user in an elevated shell prompt (where if I didn't want to be constantly switching users, I'd have to have duplicate setups of zsh and all other terminal-y stuff like brew and go and tools and credentials for accessing rackspace and AWS, ssh keys for logging in to our corporate servers, etc. ad nauseum), I'd have to deal with file permissions all day long as well.

Even if that setup could be made semi-trivial, it doesn't change the fact that it doesn't have to be like that. Every Linux distro I've used (and tested, including those two falsely claimed to behave otherwise by that other fella) don't have this insecure configuration and work just splendidly in terms of security out-of-the-box.

And again, even if you using that setup isn't a hassle for you, that's not the point: It's just not the setup that practically every Mac user is using. Sorry if I sound pedantic (still a little worked up about the other guy just lying to me to win some kind of argument I wasn't actually trying to make), but it's just irrelevant that it's not a really big hassle to reconfigure your Mac to not be vulnerable to attacks exploiting this ill-thought-of default configuration. It's like asking someone using Windows when a zero-day exploit in the networking stack is discovered, "Why aren't you just using OS X instead? It's just as easy, if not easier to use, and it has all the apps you use?" There are valid points in that question, it's just not relevant to a discussion about the exploit itself.

 

Yes I agree about your security concerns with sudo, but that's what you get when you run all the time as an admin user. The solution is just to stop unnecessarily handing admin rights to apps and processes that don't need them; i.e. stop running all the time as admin.

No. That's what you get when you run all the time as an admin user on OS X. No other OS that I've tried, including Windows, has an exploitable configuration like this.

And again, how is this relevant? Is anyone in your family running OS X? Your mother or father, perhaps? Your friends? Have they set up their systems like you? Does it matter to you that they're vulnerable to this unfortunate exploitable default configuration? I'm not worried about me (well, a little bit, I'm worried that it might already have been exploited) — I'm worried about my friends, family and colleagues. This is the way the default user session runs on every Mac out there.

I totally agree with the points that running as a different user than the default would exempt you from being vulnerable to attacks exploiting this behavior, I just don't see how to get from that to "then this isn't a problem."

Cheers,

Daniel

etresoft wrote:

 

No. The sudo command is only for shell use. It cannot be used from any GUI apps. Other kinds of authentication use other methods and are specific to those apps that employ them. There are normally lots of hoops to jump through. By using sudo, you acknowledge the risks of bypassing all of those extra security hoops.

 

The sudo command is not just for shell use. That there are other methods for obtaining elevated privileges in no way changes the fact that software already being used on OS X (as I demonstrated) does in fact use sudo and allows any other app running as the same user to piggy-back on the root access granted by them.

I don't know what you mean by there normally being "lots of hoops to jump through," or how using sudo is "bypassing all of those extra security hoops" — you'd need to demonstrate that before it's more than just an assumption. By using sudo on any sanely configured system I've used, you do not acknowledge any security wall to just disappear, least of all that using sudo to elevate a command effectively allows every process running under your user account to automatically be able to get root privileges. I really don't know how I'm even having to stress this fact.

Well, yes. It is a blanket excuse that people could use to avoid proper security. But that is the way the world works. If you go outside the mainstream, you are on your own. Terminal and especially sudo are outside that mainstream.

 

And, as illustrated, you actively need to use neither Terminal, nor sudo, to be vulnerable. Just be logged in and use software.

I know I'm getting bitchy here, and I'll stop shortly since right now we're not even remotely on topic, and the OQ has already been answered, but seriously, "that is the way the world works" is the most depressing statement uttered by people who couldn't give a rat's *** about anything and need an excuse to why they just don't bother participating anymore. I know that's not why you said it, so let me instead point out that, no, that's not the way the world works, unless you use OS X right now, because sudo doesn't normally work like this, and it was actually created to improve the security of the average POSIXy box running out there.