Wednesday, June 15, 2005

Securing Mac OS from the sudo command

This article, from Security Focus talks about a potential security hole in Mac OS that is easily fixed.

Like most UNIX systems, MacOS includes the sudo command. This command is used to execute a single program with root-level privileges. It is generally considered safer than other mechanisms (such as logging on as root or using the su command to temporarily become root.)

Sometimes, you have to execute several commands in a row as root. In order to not have to type in your password for every command, typical installations of sudo implement a 5-minute grace period, during which you do not have to re-enter your password. And as an additional convenience, this grace period applies to every session you are logged in to. (Note that every terminal window you have open is a separate login session as far as the system is concerned.)

By itself, this forms a minor security hole. Ordinarily, malicious programs on UNIX systems (including Mac OS) can't do much damage. Because of system security, the worst they can do is trash the user's files, but they can't touch the system files. But, if this program issues a sudo command during the five-minute grace period after a legitimate sudo call, it can get root-level access without needing a password.

Ordinarily, this would be a minor problem - after all, the program would have to know when to issue the sudo command. It can't just keep on calling sudo, because it would hang, waiting for you to type in a password if it did.

Unfortunately, on Mac OS, it can find out when to do this. With the default installation of Mac OS, the system log is readable by everyone. And the sudo command logs each usage in the system log. So a malicious program has to simply monitor the system log, wait for a successful execution of sudo, and then issue a sudo command of its own.

The fix, fortunately, is simple. Just turn off the 5-minute delay by adding the following line to the "Defaults" section of the /etc/sudoers config file:

Defaults:ALL timestamp_timeout=0
That's all it takes. You can also change sudo's log messages to go to a non-public log file (like /var/log/secure.log) or restrict the grace period to a single log-in session, but these steps are unnecessary if you simply disable the grace period altogether.

This does mean that you will have to enter your password for each and every sudo command you issue (including those that are issued implicitly by software installers), but I think this is a small price to pay and it eliminates a very real security hole that could be exploited in the future.

No comments: