sudo security


I posted this over at macaddict as well as at arstechnica- but I'm interested in feedback from as many sources as possible, hoping to get Apple's attention with this so that its fixed.

The default for sudo on OS X is that any admin user can execute any command, read any file, do anything they want, using their own password from the cli.

This I believe to be fundamentally wrong- from the cli, sudo should be off unless it is turned on by the root user.

If an admin should ftp something remotely, their password can be easily sniffed. This allows the cracker to log on by conventional means- be it ssh or telnet (depending upon what is enabled). They then run /usr/bin/groups and if they are in the wheel group, have root access to the machine without needing to run any kind of root kit.

Most unix books make it clear that you should remotely log into root, but remotely logging into a wheel account is never prohibited in any unix book I've ever read (and I've read a LOT).

On OS X default- remotely logging in to an admin account IS remotely logging into root, user probably just doesn't know it.

There are several better ways Apple could have handled this:

1) My Favorite:
Screw sudo. OS X is a desktop OS intended to be administered from the gui, which can not be remotely used.

Keep root disabled by default, and do NOT allow members of the wheel group to do admin via sudo from the cli by default.

This effectively means that the machine, by default, can not be administered remotely since Aqua is not a remote gui.

If you want to do administrative stuff from the gui, then you need to activate the root account. The security of gui administration capabilities is then up to the user to ensure.

2) Require root password for sudo

Apple could have easily allowed sudo for the admin users, but required them to know the root password.

I don't like this as much because I'm opposed to sudo in general- its a powerful tool, but in most cases where it is implemented- there is a better way to do it without sudo, and allowing a user to do something via sudo is dangerous (if the binary has a buffer overflow, and is being executed as root via either sudo or suid bit, the box can be rooted).

I don't like this solution- but it would work.

Bottom line-
OS X is a desktop OS and I'm fine with admin users being able to do anything from the gui. OS X is not a Server OS like Linux or BSD or Solaris. (yes- Darwin is a BSD- but OS X != Darwin)

What I'm not fine with is that same power being granted in the cli, allowing a cracker to remotely root your machine with ease.

I've got a small write up on how to fix it at for those interested.

But anyway- if you are confused as to why this is a problem, or feel that its not problem, I welcome your debate.
Just a side note, sudo is a LOT different to the 'su' command.

su will ask for the root password, and will give you uncontrolled access to the root account to do as you please.

sudo on the other hand has, if properly used, very fine grain 'root' access, allowing any user listed in the sudoers file to run set commands. It is also LOGGED. Every command you run via sudo gets a log entry (unless Apple have disabled this by default, I'll have to check when I'm at work on my OSX box next.)

All you need to do is add ;!/bin/su to the ALL:ALL line and you can stop people running sudo su to circumvent the logging ability of sudo.

anyways, just pointing out some differences, I think apple could have done it a little differntly to.. Then again I'm with you on the point it's a Desktop/Workstation OS, if you've got physical acccess to the box, it doens't care a wink what the account permissions are.

I love the sudo command. I think it's the best thing since sliced bread.

Now if I need to do something as root I don't have to be root any longer than it takes to execute the command.

This is better even than su-ing to root, executing the command, and having to remember to exit.

The fact that all admin users can do sudo by default might be a little careless. For single user Macs, that person is Admin by default. So now we have people with no idea what security means, running around with their cat's name as a password, just waiting for someone to get into their machine and sudo their way to cracker heaven (not a racial slur).

At least Apple's got remote login turned off by default. Kudos.

their cat's name as password ????
I thought everyone did the spaceball thing! 1-2-3-4-5! :D

Personally I like sudo, I use it less now though than before :)
All you need to do is add ;!/bin/su to the ALL:ALL line and you can stop people running sudo su to circumvent the logging ability of sudo.

Not true.
Well, sort of- but what is to stop the user from using sudo to edit the sudoers file and turn off logging, use sudo again to edit the log to remove that command, and then use sudo again to turn it back on after they install the trojan ssh daemon?

When setting up something securely, you don't try think what you don't want and then turn it off. Instead, you turn everything off and then only activitating what you need.

What's to stop a user from creating their own su command in their own bin (the source is available), using sudo to chmod 4111 their own su command (set the uid bit), then using sudo on their own su command to edit the log removing the use of chmod?

No, turning off sudo with a few commands isn't going to cut it.
If you are going to use sudo, the only semi-secure way to do it is to turn it off completely and then add what you are going to allow sudo to do.

I realize sudo is convenient- but its better to install the gnu su (as I described on the page I linked to) and if you want to execute a single command as root-

su root --command="whatever"

You will need root's password, but just like sudo, only that command is done as root, and you don't have a gaping security flaw.
resedit, whenever you allow protocols with cleartext passwords you have a problem. That doesn't have anything to do with sudo, nobody should ever be able to 'sniff' your admin password period.

Do you go around town giving people your admin password? Is there some rule whereby the admin password should be considered public information yet not the root password?

Install sshd and be done with it. If you can't keep your admin password secure that's your problem. There is reason why you have admin users and non-admin users. admin users are essentially root while non-admin users are just regular users. If you have ever used sudo in the past you would realize that OS X is NO DIFFERENT than ANY other system using sudo.

admin are not regular users, get it now?
Okay, so I left it as an exercise for the reader, yes you should turn off all and enable what you want. This is the right method for settingup sudo.

As for su, and needing the root password. This is pointless, and a major step back in security. The whole point of sudo is to allow logged, restricted use of the root account, without needing to give out the root password.

If you're setting up an OS-X box for others to use, you certainly wouldn't be giving out the root password. If you did, how can you trust them not to do mischivous things with the su command ? and it's certainly not logged, or controllable.

The basic differences are:

su & root passwd

-- Ohh silly fools! Watch out!

sudo & own password & good sudoers setup

-- I'm allowed to run these commands, and it's logged.
-- If i try to run something else, it's logged / notified.
-- I get to run one command at a time, I have time to
thing what I'm about to do.

This is probably going beyond the needs for a single user using thier OSX box, but still. I think it's important to understand the basic differences.

It's a lot simpler than that. If you don't want people to have sudo access don't make them admin.
It is my understanding that the Installer has the suid bit set, so that it runs as root and can install packages in directories accessible by root only for writing. So anyone with an administrator password could install a package that compromises the system and enables root access.
So there's really no point in disabling the sudo command, since an administrator password is sufficient to get root access.

Security on a machine is a Myth, unless the box is turned off and buried. Or better yet, never built in the first place.

If you're the kind of anal person who is going to ensure that no-one can get at their machine, you would not be turning off this and that but ALL of it..

Otherwise, of course there are ways around it.

Why refuse making them an "admin" and then still let them know the root password? etc etc.

It makes sense to either ignore it all together or to tighten it up to pisceen-water-tightness. :)

Or you could simply turn off the machine, and go have a nice warming drink ;)

Cheers, Andrew