Security Watch: Could sudo Compromise Mac OS?

Discussion in 'MacBytes.com News Discussion' started by MacBytes, Apr 12, 2005.

  1. macrumors bot

    Joined:
    Jul 5, 2003
    #1
  2. macrumors regular

    Joined:
    Jan 2, 2002
    #2
    A "Sit n' Wait" virus/trojan/malware that checks for sudo activity in /var/log/system.log?
    Brilliant. I'm surprised I didn't think of that myself :p

    I've always wondered why sudo'd commands show up in the system.log. secure.log makes much more sense, and should be quite easy for Apple to modify that behavior in a security update.
     
  3. macrumors 6502a

    aarond12

    Joined:
    May 20, 2002
    Location:
    Dallas, TX USA
    #3
    A quick how-to...

    I just made the changes recommended in the article. This is how I did it:

    1. Start a Terminal window. That is located in the Utilities folder in the Applications folder.

    2. Enter the command "sudo visudo" (without the quotes) and press return.

    3. You will be in the "vi" editor. Use the arrow keys to move to the blank line under "# Defaults specification".

    4. Press "o" (the letter). "--INSERT--" will appear at the bottom of the screen.

    5. Enter the following lines, exactly as listed below, pressing return after each line:

    Defaults:ALL !syslog
    Defaults:ALL logfile=/var/log/secure.log
    Defaults:ALL timestamp_timeout=0
    Defaults:ALL tty_tickets

    6. Press the ESC key. The "--INSERT--" notification should disappear.

    7. Type the following key sequence, followed by the return key:

    :wq

    8. The screen should clear and return you to the prompt. You may quit out of Terminal. You're done!

    -Aaron-
     
  4. macrumors 68040

    plinden

    Joined:
    Apr 8, 2004
    #4
    This is exactly the same as in any Linux distro - it's not confined to OS X.
     
  5. macrumors 6502a

    mrsebastian

    Joined:
    Nov 26, 2002
    Location:
    sunny san diego
    #5
    i'm totally retarded when it comes to looking under the hood of osx, but doesn't the average user not really have to worry 'bout it, since we never log in as the root user?
     
  6. macrumors newbie

    Joined:
    Sep 27, 2004
    #6
    You do when you install something.
     
  7. macrumors 65816

    telecomm

    Joined:
    Nov 30, 2003
    Location:
    Rome
    #7
    The moral of the story, once again, is "don't run applications unless you know where they came from". Duh.
     
  8. macrumors 6502a

    Gizmotoy

    Joined:
    Nov 6, 2003
    #8
    Yikes, that's a pretty big hole. Really, there is no excuse for not requiring a password every time you need to sudo, as in most Unix distributions. Sure it may get tedious if you have lots of stuff to install, but you should really be able to log in as root to do the installs anyway (obviously disabled by default, so only those who truly know what they are doing can get to it).

    This trojan sounds pretty clever. Hope Apple comes up with a way to fix the hole for all OS X users, because this could be just the thing virus writers were waiting for: an easy way to walk around OS X's security mechanisms.
     
  9. macrumors 6502

    Joined:
    Feb 12, 2003
    Location:
    Fredericton, NB Canada
    #9
    This is not a bug.

    This is an intentional feature of the security model. It prevents an administrator from having to type their password for every command when they're doing system work.

    If you're running untrusted applications while you're logged in as administrator, you deserve whatever you get!

    Still, I agree that the usage of the sudo command should be tracked in secure.log, rather than in system.log. That wouldn't reduced the utility of this (very nice) security feature and would make it even more difficult to exploit.

    Cheers
     
  10. macrumors G5

    nagromme

    Joined:
    May 2, 2002
    #10
    I never sudo or use Root anyway, but that was my thought. Apparently Apple decided NOT to alter this, so maybe they need a little bad publicity to change their mind :)
     
  11. macrumors regular

    montex

    Joined:
    Jan 17, 2002
    Location:
    Seattle, WA
    #11
    I have no idea what "sudo" is, and I don't think I'm alone. It's inexcuseable that the author of this article doesn't explain what they're talking about, but I was hoping that someone on the MacRumors Forums would be kind enough to at least define the term.

    Guess I'm a 'tard for not knowing.
     
  12. macrumors 68040

    plinden

    Joined:
    Apr 8, 2004
    #12
    Open Terminal and type: man sudo

    It's a way of performing tasks requiring "superuser" permissions without requiring login as root. It's common to Linux and some Unix OSs.
     
  13. macrumors 68020

    mainstreetmark

    Joined:
    May 7, 2003
    Location:
    Saint Augustine, FL
    #13
    Many applications require you to type your password. I had always assumed it was sudo doing it. Perhaps it's something else.

    But yes, if I install this protection, I'm not changing the 5 minute thing. I'd hate to have to type in my password every time I want to do something. (Though, I suppose I could just type in 'sudo bash' and be done with it for the session)
     
  14. macrumors 601

    stoid

    Joined:
    Feb 17, 2002
    Location:
    So long, and thanks for all the fish!
    #14
    First off, even if a virus exploited this, it wouldn't be half what some Windows viruses are. The big problem about Windows viruses is that they are self-propogating either by mailing themselves is deceptively important looking E-mails or by sniffing IP addresses and trying to attack a remote computer.

    As a fix, would it be possible that an installer app (99% of all sudo/root accesses) could log out of root when it's done?
     
  15. macrumors 65816

    1macker1

    Joined:
    Oct 9, 2003
    Location:
    A Higher Level
    #15
    If you only have 1 account set up....isn't that the root account?
     
  16. macrumors 68020

    winmacguy

    Joined:
    Nov 8, 2003
    Location:
    New Zealand
    #16
    The two biggest issues with security with OSX are no file auditing capibilities to see who has logged into the system or network eg time, date, files accessed and changes made to those files when a user logs in -and- no Admin password expiry. Yes there is password authentication, but, once you have set up your Admin password it remains active indefinitely. It cannot be deactivated. With WinNT and XP the admin password expires after 30 days forcing you to set another new password as the old one is no longer recognised.
    Other than that OSX is pretty secure.m;)
     
  17. macrumors 6502a

    aarond12

    Joined:
    May 20, 2002
    Location:
    Dallas, TX USA
    #17
    That is not true. The local administrator ("root") account on Windows NT, 2000 and XP systems does not expire unless a policy is in place to force this.

    Windows is not as secure since it sets you up as "root" user by default during installation. Mac OS X at least requires you to authenticate before doing something that requires "root" access.

    -Aaron-
     
  18. macrumors regular

    Joined:
    Sep 4, 2004
    #18
    It seems to me that the easiest way to avoid this "flaw" is to use at least two accounts. The admin account would be for installs and the standard account would be for day to day work. I don't believe you can sudo from a standard account - at least not without providing the admin account & password.
     
  19. Moderator emeritus

    mkrishnan

    Joined:
    Jan 9, 2004
    Location:
    Grand Rapids, MI, USA
    #19
    Can I ask a stupid question? This is the second time around that we're doing this thread, and I made some changes on my computer the first time (when I found out I could de-admin my account :D).

    I understand that making the modifications (or de-admin'ing yourself) would tighten the availability of sudo access for apps running on the system. However, consider a real trojan scenario....

    Suppose someone actually writes a fake application installer that prompts you to superuser graphically, or a virus that uses installers as its host. If you believe in the file authenticity to begin with, then even if your account is set to prohibit you from gaining superuser privileges, you will still username/password in to install the software using a user who has sufficient privilege. Aren't you back at square one then? Who cares if sudo only works on a per TTY or per-command basis, without grace? The trojan was the first command to execute the sudo, so it's the one that has the rights, and it can do whatever it wants. Including using its one sudo act to loosen the sudo requirements by replacing the sudo rc file.

    So doesn't it all come back to "don't run apps you don't trust" again?
     
  20. macrumors 68040

    shamino

    Joined:
    Jan 7, 2004
    Location:
    Vienna, VA
    #20
    This is overkill. There's no need to apply all three suggested fixes.

    In particular, tty_tickets is meaningless if you set timestamp_timeout to zero.

    FWIW, all I did on my system is set timestamp_timeout to zero. For those operations where I really need to run a number of commands as root, I simply "su" to the root account.
     
  21. macrumors 68040

    shamino

    Joined:
    Jan 7, 2004
    Location:
    Vienna, VA
    #21
    If you never use the "sudo" command from a terminal window, then this bug shouldn't affect you.

    This is probably why Apple hasn't been rushing a quick-fix for this.
     
  22. macrumors 68040

    shamino

    Joined:
    Jan 7, 2004
    Location:
    Vienna, VA
    #22
    Yes, but default Linux distros (at least my RedHat one) has the tty_tickets option on by default and logs sudo activity in the secure log file. So the bug can only affect someone who deliberately modified his sudo configuration to a less-secure model.
     
  23. macrumors 68040

    shamino

    Joined:
    Jan 7, 2004
    Location:
    Vienna, VA
    #23
    On all UNIX systems, there are some maintenance activities which you need to do from a "root" account. (root being the Unix equivalent of an Administrator on other operating systems.)

    Because it is unsafe to be logged in as root all the time (since a typo can trash the entire system), it is good practice to do your day-to-day work from an ordinary (non-privileged) user account, and only use the root account when absolutely necessary.

    The classic way to do this is the "su" (switch-user) command. su lets one user switch over to another user's account. You just type "su <user>", followed by that user's password (when prompted) and you're now working as that user until you exit from that user's shell. If you use the su command without specifying a user, you are switched to the root account (after you type in the root password, of course.)

    Over time, people decided that using su for maintenance is a bad idea. Anybody using it needs to know the root password - meaning they can have access to everything. And if someone forgets to exit fromt the root-level shell and walks away from the terminal, someone else could trash the system from there.

    So the "sudo" command was invented. Sudo allows you to switch to another user (usually root), but only for one command. When that command completes, you are left back in your original account's shell, not a root shell.

    Furthermore, sudo asks for your own password, not the root password. So the administrator doesn't have to give you access to the root account in order to use it. The file /etc/sudoers (set up by the administrator) is used to tell the sudo program who is allowed to switch to what accounts, and what programs they're allowed to run when they do.

    With a properly configured sudo command, an administrator can delegate his administrative duties to other users without granting them root-level access. It also is possible to eliminate the need for root-level logins (and the ability to switch to a root-shell via the su command) if sudo is set up properly. (This is why Apple can leave the root account disabled in a default MacOS installation without breaking everything.)

    Unfortunately, Apple didn't leave sudo properly configured. Their decision to have the tty_tickets option disabled by default and to send sudo's log messages to the system-log instead of the security-log presents a security hole that a crafty program can use to perform root-level commands without knowing any passwords.
     
  24. macrumors 68020

    daveL

    Joined:
    Jun 18, 2003
    Location:
    Montana
    #24
    Setting up a root account certainly isn't the most secure way to go about it. If you're going to be doing a bunch of root-level work, you can always "sudo bash" to get a root sub-shell. Anyway, that's how I've been doing it.
     
  25. macrumors 68040

    shamino

    Joined:
    Jan 7, 2004
    Location:
    Vienna, VA
    #25
    You're absolutely right on all counts.

    If a trojan is able to trick a user into typing in an admin account/password, then it can do anything, including disable all the system security.

    Which is why we'll never be completely free of virusses - there will always be some users who will be tricked into destroying their own systems, no matter how many warnings you give them.
     

Share This Page