Go Back   MacRumors Forums > Archive > Archives of Old Posts > MacBytes.com News Discussion

 
 
Thread Tools Search this Thread Display Modes
Old Apr 12, 2005, 09:18 AM   #1
MacBytes
macrumors bot
 
Join Date: Jul 2003
Security Watch: Could sudo Compromise Mac OS?




Category: Mac OS X
Link: Security Watch: Could sudo Compromise Mac OS?

Posted on MacBytes.com
Approved by Mudbug
MacBytes is offline   0
Old Apr 12, 2005, 10:00 AM   #2
TylerL
macrumors regular
 
Join Date: Jan 2002
A "Sit n' Wait" virus/trojan/malware that checks for sudo activity in /var/log/system.log?
Brilliant. I'm surprised I didn't think of that myself

I've always wondered why sudo'd commands show up in the system.log. secure.log makes much more sense, and should be quite easy for Apple to modify that behavior in a security update.

Last edited by TylerL; Apr 12, 2005 at 10:04 AM.
TylerL is offline   0
Old Apr 12, 2005, 10:01 AM   #3
aarond12
macrumors 6502a
 
aarond12's Avatar
 
Join Date: May 2002
Location: Dallas, TX USA
A quick how-to...

I just made the changes recommended in the article. This is how I did it:

1. Start a Terminal window. That is located in the Utilities folder in the Applications folder.

2. Enter the command "sudo visudo" (without the quotes) and press return.

3. You will be in the "vi" editor. Use the arrow keys to move to the blank line under "# Defaults specification".

4. Press "o" (the letter). "--INSERT--" will appear at the bottom of the screen.

5. Enter the following lines, exactly as listed below, pressing return after each line:

Defaults:ALL !syslog
Defaults:ALL logfile=/var/log/secure.log
Defaults:ALL timestamp_timeout=0
Defaults:ALL tty_tickets

6. Press the ESC key. The "--INSERT--" notification should disappear.

7. Type the following key sequence, followed by the return key:

:wq

8. The screen should clear and return you to the prompt. You may quit out of Terminal. You're done!

-Aaron-
aarond12 is offline   0
Old Apr 12, 2005, 10:45 AM   #4
plinden
macrumors 68040
 
plinden's Avatar
 
Join Date: Apr 2004
This is exactly the same as in any Linux distro - it's not confined to OS X.
plinden is offline   0
Old Apr 12, 2005, 11:01 AM   #5
mrsebastian
macrumors 6502a
 
mrsebastian's Avatar
 
Join Date: Nov 2002
Location: sunny san diego
Send a message via AIM to mrsebastian
i'm totally retarded when it comes to looking under the hood of osx, but doesn't the average user not really have to worry 'bout it, since we never log in as the root user?
__________________
[ding]
mrsebastian is offline   0
Old Apr 12, 2005, 11:07 AM   #6
idarknight
macrumors newbie
 
Join Date: Sep 2004
You do when you install something.

Last edited by Nermal; Apr 12, 2005 at 09:30 PM. Reason: you didn't need to quote the post directly above yours
idarknight is offline   0
Old Apr 12, 2005, 11:47 AM   #7
telecomm
macrumors 65816
 
telecomm's Avatar
 
Join Date: Nov 2003
Location: Rome
The moral of the story, once again, is "don't run applications unless you know where they came from". Duh.
telecomm is offline   0
Old Apr 12, 2005, 12:08 PM   #8
Gizmotoy
macrumors 6502a
 
Gizmotoy's Avatar
 
Join Date: Nov 2003
Yikes, that's a pretty big hole. Really, there is no excuse for not requiring a password every time you need to sudo, as in most Unix distributions. Sure it may get tedious if you have lots of stuff to install, but you should really be able to log in as root to do the installs anyway (obviously disabled by default, so only those who truly know what they are doing can get to it).

This trojan sounds pretty clever. Hope Apple comes up with a way to fix the hole for all OS X users, because this could be just the thing virus writers were waiting for: an easy way to walk around OS X's security mechanisms.
Gizmotoy is offline   0
Old Apr 12, 2005, 12:23 PM   #9
bryanc
macrumors 6502
 
Join Date: Feb 2003
Location: Fredericton, NB Canada
This is not a bug.

This is an intentional feature of the security model. It prevents an administrator from having to type their password for every command when they're doing system work.

If you're running untrusted applications while you're logged in as administrator, you deserve whatever you get!

Still, I agree that the usage of the sudo command should be tracked in secure.log, rather than in system.log. That wouldn't reduced the utility of this (very nice) security feature and would make it even more difficult to exploit.

Cheers
__________________
Windows - from the people who brought you EDLIN
bryanc is offline   0
Old Apr 12, 2005, 12:31 PM   #10
nagromme
macrumors G5
 
nagromme's Avatar
 
Join Date: May 2002
Quote:
Originally Posted by Gimzotoy
requiring a password every time you need to sudo
I never sudo or use Root anyway, but that was my thought. Apparently Apple decided NOT to alter this, so maybe they need a little bad publicity to change their mind
nagromme is offline   0
Old Apr 12, 2005, 12:39 PM   #11
montex
macrumors regular
 
Join Date: Jan 2002
Location: Seattle, WA
I have no idea what "sudo" is, and I don't think I'm alone. It's inexcuseable that the author of this article doesn't explain what they're talking about, but I was hoping that someone on the MacRumors Forums would be kind enough to at least define the term.

Guess I'm a 'tard for not knowing.
montex is offline   0
Old Apr 12, 2005, 12:40 PM   #12
plinden
macrumors 68040
 
plinden's Avatar
 
Join Date: Apr 2004
Open Terminal and type: man sudo

It's a way of performing tasks requiring "superuser" permissions without requiring login as root. It's common to Linux and some Unix OSs.

Last edited by Nermal; Apr 12, 2005 at 09:29 PM. Reason: you didn't need to quote the post directly above yours
plinden is offline   0
Old Apr 12, 2005, 01:11 PM   #13
mainstreetmark
macrumors 68020
 
mainstreetmark's Avatar
 
Join Date: May 2003
Location: Saint Augustine, FL
Quote:
Originally Posted by nagromme
I never sudo or use Root anyway, but that was my thought. Apparently Apple decided NOT to alter this, so maybe they need a little bad publicity to change their mind
Many applications require you to type your password. I had always assumed it was sudo doing it. Perhaps it's something else.

But yes, if I install this protection, I'm not changing the 5 minute thing. I'd hate to have to type in my password every time I want to do something. (Though, I suppose I could just type in 'sudo bash' and be done with it for the session)
__________________
iTunesRegistry.com <--don't bother, it's dead.
mainstreetmark is offline   0
Old Apr 12, 2005, 01:17 PM   #14
stoid
macrumors 68040
 
stoid's Avatar
 
Join Date: Feb 2002
Location: So long, and thanks for all the fish!
First off, even if a virus exploited this, it wouldn't be half what some Windows viruses are. The big problem about Windows viruses is that they are self-propogating either by mailing themselves is deceptively important looking E-mails or by sniffing IP addresses and trying to attack a remote computer.

As a fix, would it be possible that an installer app (99% of all sudo/root accesses) could log out of root when it's done?
stoid is offline   0
Old Apr 12, 2005, 01:19 PM   #15
1macker1
Banned
 
1macker1's Avatar
 
Join Date: Oct 2003
Location: A Higher Level
If you only have 1 account set up....isn't that the root account?
1macker1 is offline   0
Old Apr 12, 2005, 01:36 PM   #16
winmacguy
macrumors 68020
 
winmacguy's Avatar
 
Join Date: Nov 2003
Location: New Zealand
The two biggest issues with security with OSX are no file auditing capibilities to see who has logged into the system or network eg time, date, files accessed and changes made to those files when a user logs in -and- no Admin password expiry. Yes there is password authentication, but, once you have set up your Admin password it remains active indefinitely. It cannot be deactivated. With WinNT and XP the admin password expires after 30 days forcing you to set another new password as the old one is no longer recognised.
Other than that OSX is pretty secure.m
__________________
With Windows iWork, with Apple iCreate
winmacguy is offline   0
Old Apr 12, 2005, 01:49 PM   #17
aarond12
macrumors 6502a
 
aarond12's Avatar
 
Join Date: May 2002
Location: Dallas, TX USA
Quote:
Originally Posted by winmacguy
With WinNT and XP the admin password expires after 30 days forcing you to set another new password as the old one is no longer recognised.
That is not true. The local administrator ("root") account on Windows NT, 2000 and XP systems does not expire unless a policy is in place to force this.

Windows is not as secure since it sets you up as "root" user by default during installation. Mac OS X at least requires you to authenticate before doing something that requires "root" access.

-Aaron-
aarond12 is offline   0
Old Apr 12, 2005, 03:27 PM   #18
cwtnospam
macrumors regular
 
Join Date: Sep 2004
It seems to me that the easiest way to avoid this "flaw" is to use at least two accounts. The admin account would be for installs and the standard account would be for day to day work. I don't believe you can sudo from a standard account - at least not without providing the admin account & password.
cwtnospam is offline   0
Old Apr 12, 2005, 03:41 PM   #19
mkrishnan
Moderator emeritus
 
mkrishnan's Avatar
 
Join Date: Jan 2004
Location: Grand Rapids, MI, USA
Quote:
Originally Posted by nagromme
I never sudo or use Root anyway, but that was my thought. Apparently Apple decided NOT to alter this, so maybe they need a little bad publicity to change their mind
Can I ask a stupid question? This is the second time around that we're doing this thread, and I made some changes on my computer the first time (when I found out I could de-admin my account ).

I understand that making the modifications (or de-admin'ing yourself) would tighten the availability of sudo access for apps running on the system. However, consider a real trojan scenario....

Suppose someone actually writes a fake application installer that prompts you to superuser graphically, or a virus that uses installers as its host. If you believe in the file authenticity to begin with, then even if your account is set to prohibit you from gaining superuser privileges, you will still username/password in to install the software using a user who has sufficient privilege. Aren't you back at square one then? Who cares if sudo only works on a per TTY or per-command basis, without grace? The trojan was the first command to execute the sudo, so it's the one that has the rights, and it can do whatever it wants. Including using its one sudo act to loosen the sudo requirements by replacing the sudo rc file.

So doesn't it all come back to "don't run apps you don't trust" again?
__________________
Mira C. Krishnan
mkrishnan is offline   0
Old Apr 12, 2005, 05:32 PM   #20
shamino
macrumors 68040
 
shamino's Avatar
 
Join Date: Jan 2004
Location: Vienna, VA
Quote:
Originally Posted by aarond12
Defaults:ALL !syslog
Defaults:ALL logfile=/var/log/secure.log
Defaults:ALL timestamp_timeout=0
Defaults:ALL tty_tickets
This is overkill. There's no need to apply all three suggested fixes.

In particular, tty_tickets is meaningless if you set timestamp_timeout to zero.

FWIW, all I did on my system is set timestamp_timeout to zero. For those operations where I really need to run a number of commands as root, I simply "su" to the root account.
shamino is offline   0
Old Apr 12, 2005, 05:34 PM   #21
shamino
macrumors 68040
 
shamino's Avatar
 
Join Date: Jan 2004
Location: Vienna, VA
Quote:
Originally Posted by mrsebastian
i'm totally retarded when it comes to looking under the hood of osx, but doesn't the average user not really have to worry 'bout it, since we never log in as the root user?
If you never use the "sudo" command from a terminal window, then this bug shouldn't affect you.

This is probably why Apple hasn't been rushing a quick-fix for this.
shamino is offline   0
Old Apr 12, 2005, 05:36 PM   #22
shamino
macrumors 68040
 
shamino's Avatar
 
Join Date: Jan 2004
Location: Vienna, VA
Quote:
Originally Posted by plinden
This is exactly the same as in any Linux distro - it's not confined to OS X.
Yes, but default Linux distros (at least my RedHat one) has the tty_tickets option on by default and logs sudo activity in the secure log file. So the bug can only affect someone who deliberately modified his sudo configuration to a less-secure model.
shamino is offline   0
Old Apr 12, 2005, 05:54 PM   #23
shamino
macrumors 68040
 
shamino's Avatar
 
Join Date: Jan 2004
Location: Vienna, VA
Quote:
Originally Posted by montex
I have no idea what "sudo" is, and I don't think I'm alone. It's inexcuseable that the author of this article doesn't explain what they're talking about, but I was hoping that someone on the MacRumors Forums would be kind enough to at least define the term.
On all UNIX systems, there are some maintenance activities which you need to do from a "root" account. (root being the Unix equivalent of an Administrator on other operating systems.)

Because it is unsafe to be logged in as root all the time (since a typo can trash the entire system), it is good practice to do your day-to-day work from an ordinary (non-privileged) user account, and only use the root account when absolutely necessary.

The classic way to do this is the "su" (switch-user) command. su lets one user switch over to another user's account. You just type "su <user>", followed by that user's password (when prompted) and you're now working as that user until you exit from that user's shell. If you use the su command without specifying a user, you are switched to the root account (after you type in the root password, of course.)

Over time, people decided that using su for maintenance is a bad idea. Anybody using it needs to know the root password - meaning they can have access to everything. And if someone forgets to exit fromt the root-level shell and walks away from the terminal, someone else could trash the system from there.

So the "sudo" command was invented. Sudo allows you to switch to another user (usually root), but only for one command. When that command completes, you are left back in your original account's shell, not a root shell.

Furthermore, sudo asks for your own password, not the root password. So the administrator doesn't have to give you access to the root account in order to use it. The file /etc/sudoers (set up by the administrator) is used to tell the sudo program who is allowed to switch to what accounts, and what programs they're allowed to run when they do.

With a properly configured sudo command, an administrator can delegate his administrative duties to other users without granting them root-level access. It also is possible to eliminate the need for root-level logins (and the ability to switch to a root-shell via the su command) if sudo is set up properly. (This is why Apple can leave the root account disabled in a default MacOS installation without breaking everything.)

Unfortunately, Apple didn't leave sudo properly configured. Their decision to have the tty_tickets option disabled by default and to send sudo's log messages to the system-log instead of the security-log presents a security hole that a crafty program can use to perform root-level commands without knowing any passwords.
shamino is offline   0
Old Apr 12, 2005, 05:54 PM   #24
daveL
macrumors 68020
 
daveL's Avatar
 
Join Date: Jun 2003
Location: Montana
Quote:
Originally Posted by shamino
This is overkill. There's no need to apply all three suggested fixes.

In particular, tty_tickets is meaningless if you set timestamp_timeout to zero.

FWIW, all I did on my system is set timestamp_timeout to zero. For those operations where I really need to run a number of commands as root, I simply "su" to the root account.
Setting up a root account certainly isn't the most secure way to go about it. If you're going to be doing a bunch of root-level work, you can always "sudo bash" to get a root sub-shell. Anyway, that's how I've been doing it.
__________________
-daveL
daveL is offline   0
Old Apr 12, 2005, 05:57 PM   #25
shamino
macrumors 68040
 
shamino's Avatar
 
Join Date: Jan 2004
Location: Vienna, VA
Quote:
Originally Posted by mkrishnan
Suppose someone actually writes a fake application installer that prompts you to superuser graphically, or a virus that uses installers as its host. If you believe in the file authenticity to begin with, then even if your account is set to prohibit you from gaining superuser privileges, you will still username/password in to install the software using a user who has sufficient privilege. Aren't you back at square one then? Who cares if sudo only works on a per TTY or per-command basis, without grace? The trojan was the first command to execute the sudo, so it's the one that has the rights, and it can do whatever it wants. Including using its one sudo act to loosen the sudo requirements by replacing the sudo rc file.

So doesn't it all come back to "don't run apps you don't trust" again?
You're absolutely right on all counts.

If a trojan is able to trick a user into typing in an admin account/password, then it can do anything, including disable all the system security.

Which is why we'll never be completely free of virusses - there will always be some users who will be tricked into destroying their own systems, no matter how many warnings you give them.
shamino is offline   0


 
MacRumors Forums > Archive > Archives of Old Posts > MacBytes.com News Discussion

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Similar Threads
thread Thread Starter Forum Replies Last Post
Question about possible security compromise of Win 7 bootcamp partition. Phrygian Windows, Linux & Others on the Mac 1 Apr 7, 2014 10:40 PM
Disappointed with Retina Macbook 13 need a compromise awesome12 Buying Tips and Advice 7 Jan 8, 2013 11:50 AM
Tethering compromise signal? Eldiablojoe iPhone 1 Nov 4, 2012 06:03 PM
4GB ram compromise lonewolf604 MacBook Air 25 Jul 13, 2012 01:48 PM

Forum Jump

All times are GMT -5. The time now is 11:11 PM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC