Re: Remove all admin-root authorization prompts from OSX
Hello, About sudo in particular. * You can force for a prompt (5mn by default on Mac OSX,) adding a line such as the following in /etc/sudoers (using the visudo command): Defaultstimestamp_timeout = 0 * By default users do not authenticate on a per-tty basis. You can enforce it with the following option: Defaultstty_tickets The last is activated by default on GNU/Linux distro Ubuntu. The reading of the sudoers manual page is a very interesting. Regards, -- Baptiste MALGUY - System Engineer EASYNET PGP Fingerprint: 49B0 4F6E 4AA8 B149 B2DF 9267 0F65 6C1C C473 6EC2 www.easynet.com - phone: +33 1 44 54 70 00 - fax: +33 1 44 54 70 01 -- Marvin Simkin wrote: I respectfully disagree with this proposal and maybe we should discuss it. Being a member of the admin group is NOT 100% equal to being root. Therefore when you switch from admin group to uid=0 you are escalating privileges. A trojan that gets control of an admin's session should not be able to escalate itself to root without a password prompt, which requires a human to decide (rightly or wrongly...) yes I do want to increase the authority of this process. Sure, an admin should be smart enough not to get trojaned, but what if they do anyway? Maybe a cracker could write a trojan that esclates itself using the powers of the admin group, but why make it easier for those who don't know how? The myth that it should be easy for uneducated users to expose their computers to harm is one reason why certain other GUI platforms have so many security problems. host:/tmp1 sysmsimkin$ id uid=505(sysmsimkin) gid=505(sysmsimkin) groups=505(sysmsimkin), 81(appserveradm), 79(appserverusr), 80(admin) host:/tmp1 sysmsimkin$ ls -ld /tmp1 drwxr-xr-x 3 501 admin 102 Jun 28 2006 /tmp1 host:/tmp1 sysmsimkin$ mkdir /tmp1/tmp2 mkdir: /tmp1/tmp2: Permission denied host:/tmp1 sysmsimkin$ /usr/bin/sudo /bin/bash Password: host:/tmp1 root# mkdir /tmp1/tmp2 host:/tmp1 root# ls -ld /tmp1/tmp2 drwxr-xr-x 2 root admin 68 Jan 25 11:20 /tmp1/tmp2 host:/tmp1 root# exit host:/tmp1 sysmsimkin$ rmdir /tmp1/tmp2 rmdir: /tmp1/tmp2: Permission denied host:/tmp1 sysmsimkin$ /usr/bin/sudo /bin/bash host:/tmp1 root# rmdir /tmp1/tmp2 host:/tmp1 root# exit host:/tmp1 sysmsimkin$ More interesting (to me) why wasn't I prompted for a password the second time? (Yes I know it was designed that way, I'm asking was that the right decision.) Presumably there is a window of vulnerability for a few minutes AFTER you have been root during which you could fall victim to a trojan. signature.asc Description: OpenPGP digital signature
Re: Remove all admin-root authorization prompts from OSX
Marvin Simkin wrote: I respectfully disagree with this proposal and maybe we should discuss it. Being a member of the admin group is NOT 100% equal to being root. Well, almost. Given that admins have write access to /Applications/, they can install trojans there, which will be run by all users. The main purpose - IMHO - of root is to protect users from each other, not to protect the system binaries (the latter is just a necessity for the former), so that's already failing here. Even though theoretically useless, the prompt does have a practical value: Applications which are not outright illegal, i.e. from normal companies, and therefore would not employ above techniques, may still harm the system by installing dangerous or misbehaving binaries in /System/ et al. A lot of Mac apps are just bundles which can be installed by simply copying to /Applications/ or elsewhere, and similarly uninstalled, and don't affect the system (modulo trojans). Some come with installers just to show the license or similar silliness. When I install an app and I get asked for a root password, that is sign for me that the app will deeply change the core system and thus alter the behaviour of the machine even when the app is not running. Maybe half of the time, I deny the request and stop the installation. For me, a Yes/No dialog box instead of password entry would achieve the same, but I find *some* barrier to root useful in many realworld situations, even if it doesn't protect from trojans. I think it also makes sane app vendors try to avoid requiring the system priviledge, which is a huge actual gain. It does provide some false sense of security, but so does the user/root separation on single-user machines. (Esp. most Linux geeks have this false sense.) A malware program running under my user account already has access to my files - rooting the system doesn't gain much. Exceptions: network sniffing and special (and rare) solutions to protect certain files.
Re: Remove all admin-root authorization prompts from OSX
haha, and I believe kev already had something to say on the topic when a n00b had previously posted that as a vuln in Mac OS X: Explain to me how this is a MacOS specific bug? I can duplicate this behavior on my debian linux machine. http://www.securityfocus.com/archive/1/395142/30/0/threaded John On Jan 25, 2007, at 6:34 PM, Marvin Simkin wrote: I respectfully disagree with this proposal and maybe we should discuss it. Being a member of the admin group is NOT 100% equal to being root. Therefore when you switch from admin group to uid=0 you are escalating privileges. A trojan that gets control of an admin's session should not be able to escalate itself to root without a password prompt, which requires a human to decide (rightly or wrongly...) yes I do want to increase the authority of this process. Sure, an admin should be smart enough not to get trojaned, but what if they do anyway? Maybe a cracker could write a trojan that esclates itself using the powers of the admin group, but why make it easier for those who don't know how? The myth that it should be easy for uneducated users to expose their computers to harm is one reason why certain other GUI platforms have so many security problems. host:/tmp1 sysmsimkin$ id uid=505(sysmsimkin) gid=505(sysmsimkin) groups=505(sysmsimkin), 81 (appserveradm), 79(appserverusr), 80(admin) host:/tmp1 sysmsimkin$ ls -ld /tmp1 drwxr-xr-x 3 501 admin 102 Jun 28 2006 /tmp1 host:/tmp1 sysmsimkin$ mkdir /tmp1/tmp2 mkdir: /tmp1/tmp2: Permission denied host:/tmp1 sysmsimkin$ /usr/bin/sudo /bin/bash Password: host:/tmp1 root# mkdir /tmp1/tmp2 host:/tmp1 root# ls -ld /tmp1/tmp2 drwxr-xr-x 2 root admin 68 Jan 25 11:20 /tmp1/tmp2 host:/tmp1 root# exit host:/tmp1 sysmsimkin$ rmdir /tmp1/tmp2 rmdir: /tmp1/tmp2: Permission denied host:/tmp1 sysmsimkin$ /usr/bin/sudo /bin/bash host:/tmp1 root# rmdir /tmp1/tmp2 host:/tmp1 root# exit host:/tmp1 sysmsimkin$ More interesting (to me) why wasn't I prompted for a password the second time? (Yes I know it was designed that way, I'm asking was that the right decision.) Presumably there is a window of vulnerability for a few minutes AFTER you have been root during which you could fall victim to a trojan. - Marvin Simkin Planetary Geology Group School of Earth and Space Exploration Arizona State University http://simkin.asu.edu/ -Original Message- From: K F (lists) [mailto:[EMAIL PROTECTED] Sent: Wed 2007-01-24 18:20 To: bugtraq@securityfocus.com Subject: Remove all admin-root authorization prompts from OSX http://www.petitiononline.com/31337OSX/petition.html -KF
RE: Remove all admin-root authorization prompts from OSX
I respectfully disagree with this proposal and maybe we should discuss it. Being a member of the admin group is NOT 100% equal to being root. Therefore when you switch from admin group to uid=0 you are escalating privileges. A trojan that gets control of an admin's session should not be able to escalate itself to root without a password prompt, which requires a human to decide (rightly or wrongly...) yes I do want to increase the authority of this process. Sure, an admin should be smart enough not to get trojaned, but what if they do anyway? Maybe a cracker could write a trojan that esclates itself using the powers of the admin group, but why make it easier for those who don't know how? The myth that it should be easy for uneducated users to expose their computers to harm is one reason why certain other GUI platforms have so many security problems. host:/tmp1 sysmsimkin$ id uid=505(sysmsimkin) gid=505(sysmsimkin) groups=505(sysmsimkin), 81(appserveradm), 79(appserverusr), 80(admin) host:/tmp1 sysmsimkin$ ls -ld /tmp1 drwxr-xr-x 3 501 admin 102 Jun 28 2006 /tmp1 host:/tmp1 sysmsimkin$ mkdir /tmp1/tmp2 mkdir: /tmp1/tmp2: Permission denied host:/tmp1 sysmsimkin$ /usr/bin/sudo /bin/bash Password: host:/tmp1 root# mkdir /tmp1/tmp2 host:/tmp1 root# ls -ld /tmp1/tmp2 drwxr-xr-x 2 root admin 68 Jan 25 11:20 /tmp1/tmp2 host:/tmp1 root# exit host:/tmp1 sysmsimkin$ rmdir /tmp1/tmp2 rmdir: /tmp1/tmp2: Permission denied host:/tmp1 sysmsimkin$ /usr/bin/sudo /bin/bash host:/tmp1 root# rmdir /tmp1/tmp2 host:/tmp1 root# exit host:/tmp1 sysmsimkin$ More interesting (to me) why wasn't I prompted for a password the second time? (Yes I know it was designed that way, I'm asking was that the right decision.) Presumably there is a window of vulnerability for a few minutes AFTER you have been root during which you could fall victim to a trojan. - Marvin Simkin Planetary Geology Group School of Earth and Space Exploration Arizona State University http://simkin.asu.edu/ -Original Message- From: K F (lists) [mailto:[EMAIL PROTECTED] Sent: Wed 2007-01-24 18:20 To: bugtraq@securityfocus.com Subject: Remove all admin-root authorization prompts from OSX http://www.petitiononline.com/31337OSX/petition.html -KF