I posted this over at macaddict as well as at arstechnica- but I'm interested in feedback from as many sources as possible, hoping to get Apple's attention with this so that its fixed.
The default for sudo on OS X is that any admin user can execute any command, read any file, do anything they want, using their own password from the cli.
This I believe to be fundamentally wrong- from the cli, sudo should be off unless it is turned on by the root user.
If an admin should ftp something remotely, their password can be easily sniffed. This allows the cracker to log on by conventional means- be it ssh or telnet (depending upon what is enabled). They then run /usr/bin/groups and if they are in the wheel group, have root access to the machine without needing to run any kind of root kit.
Most unix books make it clear that you should remotely log into root, but remotely logging into a wheel account is never prohibited in any unix book I've ever read (and I've read a LOT).
On OS X default- remotely logging in to an admin account IS remotely logging into root, user probably just doesn't know it.
There are several better ways Apple could have handled this:
1) My Favorite:
Screw sudo. OS X is a desktop OS intended to be administered from the gui, which can not be remotely used.
Keep root disabled by default, and do NOT allow members of the wheel group to do admin via sudo from the cli by default.
This effectively means that the machine, by default, can not be administered remotely since Aqua is not a remote gui.
If you want to do administrative stuff from the gui, then you need to activate the root account. The security of gui administration capabilities is then up to the user to ensure.
2) Require root password for sudo
Apple could have easily allowed sudo for the admin users, but required them to know the root password.
I don't like this as much because I'm opposed to sudo in general- its a powerful tool, but in most cases where it is implemented- there is a better way to do it without sudo, and allowing a user to do something via sudo is dangerous (if the binary has a buffer overflow, and is being executed as root via either sudo or suid bit, the box can be rooted).
I don't like this solution- but it would work.
-=-
Bottom line-
OS X is a desktop OS and I'm fine with admin users being able to do anything from the gui. OS X is not a Server OS like Linux or BSD or Solaris. (yes- Darwin is a BSD- but OS X != Darwin)
What I'm not fine with is that same power being granted in the cli, allowing a cracker to remotely root your machine with ease.
I've got a small write up on how to fix it at http://24.5.29.77/Linux_Pages/howto/sudo.php for those interested.
But anyway- if you are confused as to why this is a problem, or feel that its not problem, I welcome your debate.
The default for sudo on OS X is that any admin user can execute any command, read any file, do anything they want, using their own password from the cli.
This I believe to be fundamentally wrong- from the cli, sudo should be off unless it is turned on by the root user.
If an admin should ftp something remotely, their password can be easily sniffed. This allows the cracker to log on by conventional means- be it ssh or telnet (depending upon what is enabled). They then run /usr/bin/groups and if they are in the wheel group, have root access to the machine without needing to run any kind of root kit.
Most unix books make it clear that you should remotely log into root, but remotely logging into a wheel account is never prohibited in any unix book I've ever read (and I've read a LOT).
On OS X default- remotely logging in to an admin account IS remotely logging into root, user probably just doesn't know it.
There are several better ways Apple could have handled this:
1) My Favorite:
Screw sudo. OS X is a desktop OS intended to be administered from the gui, which can not be remotely used.
Keep root disabled by default, and do NOT allow members of the wheel group to do admin via sudo from the cli by default.
This effectively means that the machine, by default, can not be administered remotely since Aqua is not a remote gui.
If you want to do administrative stuff from the gui, then you need to activate the root account. The security of gui administration capabilities is then up to the user to ensure.
2) Require root password for sudo
Apple could have easily allowed sudo for the admin users, but required them to know the root password.
I don't like this as much because I'm opposed to sudo in general- its a powerful tool, but in most cases where it is implemented- there is a better way to do it without sudo, and allowing a user to do something via sudo is dangerous (if the binary has a buffer overflow, and is being executed as root via either sudo or suid bit, the box can be rooted).
I don't like this solution- but it would work.
-=-
Bottom line-
OS X is a desktop OS and I'm fine with admin users being able to do anything from the gui. OS X is not a Server OS like Linux or BSD or Solaris. (yes- Darwin is a BSD- but OS X != Darwin)
What I'm not fine with is that same power being granted in the cli, allowing a cracker to remotely root your machine with ease.
I've got a small write up on how to fix it at http://24.5.29.77/Linux_Pages/howto/sudo.php for those interested.
But anyway- if you are confused as to why this is a problem, or feel that its not problem, I welcome your debate.
