Security issue? Gaining root is ridiculously easy.

etresoft wrote:

This thread must have been edited because I don't see the quoted line anywhere.

What's really weird is that the OP is using zsh. I thought I was the only one weird enough to use zsh.

ZSH is awesome 🙂

FTR, this thread was moderated, stripped of two or three replies, and the OP (me as another user) was locked out of it after he (I) called out Harris as being untruthful after having tested the distros claimed by him to offer the same behavior as OS X, which they did not.

Good news is that someone with Apple actually read this thread, because the default sudo configuration starting with Sierra is now the same as every other *NIX/*nux distro, which is to prevent this security issue and restrict password-less sudo requests within the grace time to the process which originally received user authentication.

So we can sleep soundly if we're on Sierra, although it may have to be a clean install — I haven't tested if an upgrade retains the insecure default settings made by El Capitan and previous versions.

Cheers 🙂

Hello Dr.Bingo,

Sorry, but you are way off. Bob Harris was not being untruthful. I don't know what you did to get permanently banished from the forums, but it must have been pretty bad. They don't do that lightly.

I don't have access to the same Linux servers that I had this time last year. My current Ubuntu 16.04 works the same was as Sierra. I can't test my old 14.04 machine. Nor can I test the old production servers from around 2010 that my employer used to use, and probably still does. It doesn't really matter, because most people don't have sudo privileges on Linux servers. It doesn't matter much on Macs because 5 minutes of vulnerability 3 times a year isn't that much of a risk anyway.

I can assure you that no one, other than the Apple moderators of course, has read this thread. Sierra was released to beta test a month before this thread was started. It is impossible that any change in Sierra was a result of anything you said in this thread.

Can you show a "Normal" (Standard) user gain root after an admin has used sudo?

That does seem like odd behavior from a normal unix, sudo, and security viewpoint.

This is baffling after looking at it.

sudo -V on my stock 10.11.6 system shows:

Sudo version 1.7.10p9

Configure args: --with-password-timeout=0 --disable-setreuid --with-env-editor --with-pam --with-libraries=bsm --with-noexec=no --sysconfdir=/private/etc --with-timedir=/var/db/sudo

...

Authentication timestamp timeout: 5.0 minutes

...

Path to authentication timestamp dir: /var/db/sudo

This, in theory, should be fairly normal behavior. However, I have no timestamp file in /var/db/sudo/$username when I tested sudo. I cannot find any place where this timestamp file may reside, so far.

This is both a mystery and disconcerting.

Dr. Daniel, M.D. wrote:

Well, this is a standard user. The first user created when installing OS X has the ability to use sudo to elevate privileges.

Not what I meant, but the first user created has Admin privileges. A plain, Standard user cannot elevate their privileges using sudo unless you add them to the sudoers file (which can be done in the GUI by marking the allow user to administer the computer).

Hello Dr. Daniel,

The sudo command is for advanced users. The expectation is that they know what else is running on their system at all times. If you are concerned about this, you can always run as a standard user and then you won't have sudo privileges. This what I use. If I need to use sudo, I have to su into my admin user and then run sudo from there.

There are timestamp directories in /var/db/sudo as expected. There just isn't any $username variable.

So, to put it properly: Everyone will have this type of user after setting up their computer, and unless they're extremely vigilant and want to jump through hoops on a daily basis, they'll also be logged in as this user

No hoops to jump through at all. I'm not sure why you think there are some.

However, how does this become an exploit. You have the ability to elevate your user's privileges. How does another user (i.e. Hacker) use your user to exploit this. Another user (i.e. Another process running on the Mac) can't exploit this so I'm not sure how it is a problem. If someone hacks into your Mac and logs in as your user, it doesn't matter whether there is a timeout or not.

In your example script, your user is still running that script, it is not some rogue process.

If a Mac is owned and used in a home one could argue security is less of an issue. Therefore as you have observed the normal behaviour is that the first user account created is automatically given Administrator level privileges and hence is authorised to be a sudoer.

However the proper practice in a business or education environment is the normal users e.g. staff, students, etc. are not given Administrator level accounts only 'standard' level accounts. As a result they do not have sudoer privileges. One could therefore argue the issue is not as big a problem as you perceive.

It would still be worth you reporting it as a security concern because I agree with one aspect of your post, the time window where it caches sudo privileges should be as far as you and I are concerned limited to the original thread and not shared with other processes.

See https://www.apple.com/uk/support/security/

If you wish to further secure sudo, see here: http://www.cnet.com/news/adjust-the-sudo-time-out-behavior-in-os-x/

haha... u call that "easy" ? I would have a hard time doing that syntax, and i like to know more than the normal user.

If i can't understand that, how do u expect a average user to know ? This is why Apple does things via Terminal 🙂

to prevent most users getting access, but its there it they need it..

I wouldn't call a "smart user" who can get "easily get root access" easy on the Mac ... Easy for you yes.. but hard for others.. if they must figure it out on themselves.