OSX - trojan apps can bypass authentication controls and gain root privilages

[AppleMatt]

I also can't see why the suggested 'sudo' configuration isn't the out-of-the-box default.

I'm updating the 'sudo' configiration on all my Macs now ...

If memory serves me correctly Apple actually introduced the 5 minute delay with a 10.2.x (or maybe 10.3.x) update because people were annoyed at having to repeatedly enter the password for sudo tasks?

Either way, you can avoid it all by using "sudo -k" instead of "sudo".

AppleMatt

 

[wrldwzrd89]

Since this came up, I've been wondering...I set up a main user account under my username (mkrishnan) as an admin, and a guest account with simplified finder, which I never use, but thought I might need at some point. I'm starting to think that if I ever clean install Panther, or I get Tiger, I should have set up an admin account that I primarily do not use, and then a managed account for my usual activity. What is the difference between a managed account with no limitations and an admin account?

I did this recently. What mkrishnan posted is correct. However, you also have the option of authenticating, since you're also the administrator, and therefore know the admin account username and password, if you need to do some sort of administrative task. Some things simply can't be done without logging into the administrative account, such as (by default, unless you modified the /etc/sudoers file with the visudo utility to enable such use) the use of the sudo command.

 

[mkrishnan]

I did this recently.

Yeah, I think I should do this too.... It's too bad I can't create a new admin account and de-adminize myself, so that I don't have to mess with moving all my documents and getting my iTunes and iPhoto albums re-instated.... Or is there a way to do that (convert an admin account to a managed user)?

 

[Westside guy]

I did this recently. What mkrishnan posted is correct. However, you also have the option of authenticating, since you're also the administrator, and therefore know the admin account username and password, if you need to do some sort of administrative task. Some things simply can't be done without logging into the administrative account, such as (by default, unless you modified the /etc/sudoers file with the visudo utility to enable such use) the use of the sudo command.

I've been running this way for most of the time since I switched over to OS X - as a former Linux user it just made sense.

Unfortunately if you do this, you will find that a few apps are not correctly written for OS X. It's rare, but there are some that won't let you authenticate as an admin user - they'll just kick out and say "sorry you can't do that". It's annoying when it happens. So on those rare occasions you will actually have to log in as the admin user to run that particular piece of software.

It seems like Carbon Copy Cloner had this issue back when I used it. Most of the time when this has happened it's been with an installer. Wish I could remember which other ones did this...

 

[Westside guy]

Yeah, I think I should do this too.... It's too bad I can't create a new admin account and de-adminize myself, so that I don't have to mess with moving all my documents and getting my iTunes and iPhoto albums re-instated.... Or is there a way to do that (convert an admin account to a managed user)?

Yes, just uncheck the account security box "allow user to administer this computer".

Do that AFTER you've created another admin account, of course!

 

[wrldwzrd89]

I've been running this way for most of the time since I switched over to OS X - as a former Linux user it just made sense.

Unfortunately if you do this, you will find that a few apps are not correctly written for OS X. It's rare, but there are some that won't let you authenticate as an admin user - they'll just kick out and say "sorry you can't do that". It's annoying when it happens. So on those rare occasions you will actually have to log in as the admin user to run that particular piece of software.

It seems like Carbon Copy Cloner had this issue back when I used it. Most of the time when this has happened it's been with an installer. Wish I could remember which other ones did this...

Carbon Copy Cloner still does it. Virex won't let you update the definitions if you aren't an administrator, either. Those are the only two applications that I know don't work properly.

 

[bosrs1]

While this isn't a virus, this is a step closer... i've always kind of wondered about the 5-minute sudo grace, and why another process couldn't take advantage of that. But the fact remains that the virus would need to be installed and launched by the user, which is the first line of defense-- needing root privileges is actually the second line of defense. If malignant code can't propagate and still has to be launched, it's not much of a virus...

Of course, once they figure out how to get the virus to propagate, we're screwed. Assuming Apple doesn't close up this hole first. Not like they drag their feet on the really critical stuff or anything...

The fact alone that it requires so many steps to impliment makes it a piss poor excuse for a virus. Anyone who get this deserves it.

 

[mkrishnan]

Yes, just uncheck the account security box "allow user to administer this computer".

Do that AFTER you've created another admin account, of course!

Sweeeeeet! I never knew about this option because I only had one admin account all this time, and so it wasn't displayed....I created a super user account, logged out, logged back in, and now I feel delightfully powerless.

I'll let it be for a while and see if there are any annoying consequences, beyond having to type a user name and a password for the super user in order to modify system directories. But this did exactly what I wanted, which was to protect the apps directory.

 

[stcanard]

Yeah, I think I should do this too.... It's too bad I can't create a new admin account and de-adminize myself, so that I don't have to mess with moving all my documents and getting my iTunes and iPhoto albums re-instated.... Or is there a way to do that (convert an admin account to a managed user)?

I've been running this way for over a year without a problem. Just follow Westside Guy's instructions.

There is an additional step you need to do, though. Every time you install an application bundle, manually change the ownership to root:admin so it isn't writeable by your account (this will break some application, but so far they are very few and far between).

As for the original issue, let's face it. Every single operating system always has been and always will be vulnerable to trojans. You can put every single security measure you want in place, but if the person is convinced the program is useful they will override the security.

Permissions, Priv escalation, firewalls et al are to protect from viruses and worms.

Only education can protect against a trojan.

 

[yellow]

Let's face it, most Mac users have admin privileges. There's nothing that tells them to create a non-admin account to use for all their routine work.

Quite right, and there's plenty of folks out there who really don't have a clue what they're doing and the risks they take downloading and installing random things.

Unfortunately, I don't think that the security changes that can be applied to /etc/sudoers has any effect on the GUI's SecurityAgent. So downloading and installing a properly crafted trojan'd app is still very feasible. Can someone give some definitive info on how SecurityAgent interacts with authentication?

Looking at the Documentation for darwin and OS X, I found some good info. What I take from it is that sudo and the Security Server have no interaction whatsoever.

Authorization Services
Security Architecture

 

[mkrishnan]

There is an additional step you need to do, though. Every time you install an application bundle, manually change the ownership to root:admin so it isn't writeable by your account (this will break some application, but so far they are very few and far between).

Thanks! Switching users to the admin user, and installing from that account also addresses this issue, correct? I checked what you said -- I have Firefox (for instance) installed in my system from before I de-admin'd myself, and I own it, and so I am still able to modify it, even though I no longer have admin access....I am going to try to give access to everything in my Apps directory back to the system. We'll see if that causes my computer to go down in flames or not.

 

[stcanard]

I am going to try to give access to everything in my Apps directory back to the system. We'll see if that causes my computer to go down in flames or not.

Don't worry, you get used to the flames after a while. Just tell the Dell users around you it's the turbo function

Always installing from an admin account would solve that problem. I'm too lazy to do a FUS so what I've done is added my own account to the sudoers file, then after the install I go to terminal and type

bash> sudo chown -R root:admin /Applications/MyNeatApp.app

To be extra safe you would also want to do:

bash> sudo chmod go-w /Applications/MyNeatApp.app

but I find most bundles these days are good enough not to group/world write permissions.

By putting myself in sudoers I find it's a very rare ocurrence to have to leave my own account to do something.

 

[MisterMe]

I don't know how much I agree with that. Granted, todays viruses are self replicating, but back in the early PC days, getting a virus in your computer may not have had anything to do with the virus being self replicating, or infecting your PC from another machine. Back then, people mostly got viruses through downloading and running something they shouldn't, which is basically what this proof of concept involves.

....

First off, let me agree that the FUD post that started this thread was about a "trojan," not a "virus." That said, Peyote, where do you get your information? It is just plain wrong. A virus today must be self-replicating. Twenty years ago, viruses were self-replicating. The difference between then and now is the transport mechanism. Twenty years ago, your virus came from an infected floppy. Contrary to your belief, the user was not required to run something that he or she should have known to be risky. All that was required was to read an infected floppy. The infected floppy may have contained a friend's WordStar files or it may have been the shrinkwrapped distribution disk for your mission-critical application. Now, you are likely to get a virus over the network. However, your Windows PC can still be infected by floppies and other removeable storage.

 

[ChrisBrightwell]

How often do you use the sudo command?

This one is easy to answer.

Open a terminal window and try this:
more /var/log/system.log | grep "sudo"

If you get back nothing, try this:
sudo ls -al

It'll ask for your password. This should plug an entry into the system.log file for you. Run this one again:
more /var/log/system.log | grep "sudo"

You should now see an entry there, showing you used sudo to run the ls command.

 

[mthangbk]

Well, it is a TROJAN, not a virus. But a virus can be written that way. When it can get root, self-replicating is not a problem.

As far as I remember, most viruses in DOS day did require running infected file(s) to replicate.

First off, let me agree that the FUD post that started this thread was about a "trojan," not a "virus." That said, Peyote, where do you get your information? It is just plain wrong. A virus today must be self-replicating. Twenty years ago, viruses were self-replicating. The difference between then and now is the transport mechanism. Twenty years ago, your virus came from an infected floppy. Contrary to your belief, the user was not required to run something that he or she should have known to be risky. All that was required was to read an infected floppy. The infected floppy may have contained a friend's WordStar files or it may have been the shrinkwrapped distribution disk for your mission-critical application. Now, you are likely to get a virus over the network. However, your Windows PC can still be infected by floppies and other removeable storage.

 

[Westside guy]

Carbon Copy Cloner still does it. Virex won't let you update the definitions if you aren't an administrator, either. Those are the only two applications that I know don't work properly.

Talk about coincidences - I just downloaded the update for Nikon PictureProject... and guess what?

 

[mkrishnan]

Talk about coincidences - I just downloaded the update for Nikon PictureProject... and guess what?

Ouch. I'm sorry!

So far things seem to be okay for me, after having de-admin'd myself and chown'd everything in the entire Applications folder to root:admin. (Which, incidentally, doesn't seem to work correctly at all if you try to do it from Finder -- the option to cascade changes to all sub-contents seems to have ignore files at random....)

Since I've been playing with Bochs, I also got around to making a symbolic link to its rc file in the Apps directory, and putting the real rc file in my user directory, alongside the disk images. This brings up an interesting question I have. Is there any subtle reason why Apple chose to implement two different systems for aliases / symbolic links? If I create an alias to a text file in Finder, then from terminal, open handles it correctly, but more does not. If I create a symbolic link from terminal, both open and more handle it correctly. And yet the symbolic link is listed in Finder as an alias!

I don't know if all of this is actually making my computer much more secure. At least I'm learning some more Unix/bash along the way, though!

 

[Westside guy]

This brings up an interesting question I have. Is there any subtle reason why Apple chose to implement two different systems for aliases / symbolic links?

This doesn't directly answer your question - but I know with aliases that they still work even if the target file is moved. With a symbolic link ("soft link" in *nix parlance), if you move the target the link breaks.

I imagine it's an HFS+ thing. I'm also curious to see if this is still true in Tiger. Supposedly Tiger's version of bash has complete compatibility with the file system - meaning that "cp" and "mv" will understand resource and data forks (something I never really grokked, since I wasn't much of a Mac person prior to OS X). Perhaps this would also carry over to the symbolic link vs. alias question?

 

[yellow]

understand resource and data forks (something I never really grokked, since I wasn't much of a Mac person prior to OS X)

http://en.wikipedia.org/wiki/Resource_fork

 

[daveL]

If memory serves me correctly Apple actually introduced the 5 minute delay with a 10.2.x (or maybe 10.3.x) update because people were annoyed at having to repeatedly enter the password for sudo tasks?

Either way, you can avoid it all by using "sudo -k" instead of "sudo".

AppleMatt

That's fine, but you have to remember to add the option. I realize you could create an alias, but you are still depending on the user to execute. I'd much rather have the suggested configuration be the system default. If you want to make a conscious decision to change the default, that's fine. Just my take on it.

 

[tommyb]

...
I'm too lazy to do a FUS so what I've done is added my own account to the sudoers file, then after the install I go to terminal and type

bash> sudo chown -R root:admin /Applications/MyNeatApp.app

To be extra safe you would also want to do:

bash> sudo chmod go-w /Applications/MyNeatApp.app
...

What about repairing disk permissions? Will this undo these changes? You could add this to your daily script... right?

 

[yellow]

It might, if there's a BOM archive that tells diskutil there should be different permissions on it..

 

[Westside guy]

If memory serves me correctly Apple actually introduced the 5 minute delay with a 10.2.x (or maybe 10.3.x) update because people were annoyed at having to repeatedly enter the password for sudo tasks?

Under Linux sudo has always had this 5 minute password-less window. If this wasn't the case with OS X originally, I'd imagine Apple switched to it because over time they've been moving towards more standard *nix behavior (i.e. settings files now in /etc/ instead of Library/Preferences, and such) as OS X has matured.

 

[billyboy]

Cocktail 2.1 doesnt let me authenticate from a non admin account.

It sounds like this sort of trojan would only work with users working as real admins, and presumably they would be far more aware of this sort of "trick" than a klutz like me?

 

[wrldwzrd89]

Here's an update on my situation regarding non-admin primary use:

Somehow, the permissions on some of the folders and files in my home directory got set to read only or with an invalid owner. Fixing read only is easy, but fixing invalid owner requires the use of sudo, and hence the administrator account.