
Beware of sudo on OS X - lisper
http://blog.rongarret.info/2015/08/psa-beware-of-sudo-on-os-x.html
======
JakaJancar
Honest question:

Why does anyone still care about root escalation on workstations? When do we
stop pretending our MacBooks are multi-user UNIX mainframes?

App sandbox to full user privilege escalation may be scary. But if someone can
run arbitrary code as my user, then by all means, have root as well.

~~~
MrTonyD
I was part of the original UNIX porting team at NeXT, and we were just trying
to get the most popular non-proprietary operating system (UNIX) modernized (by
using Avie's CMU Mach) as the modern core to a standard OS. We didn't even
think about any server type applications. And Steve told us that he was tired
of being beaten-up at Apple for being closed source - so he wanted UNIX. (As
an aside, he refused to allow any object-oriented tools in the system - but in
Engineering we realized that Steve wouldn't know an object-oriented system
from a hole in the ground, so we ignored his direct orders to not put in
anything object oriented. The rest is history.)

~~~
feelix
Why was he against object orientation?

~~~
stcredzero
My guess: Back at that time, it was harder to afford the extra resources for
OO. It's not until the time I graduated college that machines and VMs of
managed environments started to get faster than "embarrassingly slow" in
mainstream hands. This is also a big part of the reason why there were
languages like Eiffel and also why C++ got so entrenched. Also explains the
existence of Objective-C.

~~~
cbd1984
> the extra resources for OO

Thinking like this annoys me, because it assumes a specific implementation for
OO. Are people conflating OO with Java? Are they conflating it with Smalltalk?
Are they unaware you can write C in an OO style?

> It's not until the time I graduated college that machines and VMs of managed
> environments started to get faster than "embarrassingly slow" in mainstream
> hands.

Yes. People are apparently conflating OO with Java or Smalltalk.

~~~
cynicalkane
The GP is talking about what OO was like _back at the time_. What the heck are
you complaining about?

There were very few fast OO languages and they were emerging at the time. The
most prominent examples of those languages are those languages GP names, and
they do not exactly live up to the promises of even contemporary OO research,
much less modern research.

~~~
asveikau
I share the poster's sentiment. OO is a mental box and a lot of people end up
with overly narrow definitions or have trouble escaping the box thinking. You
can apply the same ideas without language support. It is orthogonal to
bytecodes, VMs, GC or even a "class" keyword. But a lot of people have very
specific expectations and will have a hard time seeing this for what it is.

~~~
collyw
Actually I think this is the beautiful thing about Perl 5's OOP support.

It was clearly an after thought and a bit of a hack, but it works, and it
makes it transparent how everything works. I had been taught Java at
university before that, and the whole OOP thing was a bit of a hidden mystery.
Perl gave me a far better understanding of OOP.

------
gruez
>What this means is that if you use sudo to give yourself root privileges,
your sudo authentication is not bound to the TTY in which you ran sudo. It
applies to any process you (or malware running as you) start after
authentication. The way Apple ships sudo it is, essentially, a giant privilege
escalation vulnerability.

But even if you enable TTY tickets, a malicious process on your system can
still elevate itself by patching the shell (in memory, using /proc/id/mem) to
inject commands alongside the original sudo command. For example:

User types:

    
    
        sudo apt-get update
    

shell executes:

    
    
        sudo bash -c "apt-get update; evil.sh"

~~~
vortico
Or simply append `alias sudo="sudo evil.sh; sudo"` to .bash_profile.

Although, OS X is a bit like Windows. A bad program running in userspace can
essentially ruin your system as much as a program running as root. Privilege
escalation is not a relatively big deal when you can `shred -u ~/` without
root.

~~~
coldtea
> _Although, OS X is a bit like Windows. A bad program running in userspace
> can essentially ruin your system as much as a program running as root._

Erm, OS X has sandboxing. So, no. Except if you use unsigned third party
stuff.

~~~
__david__
I think he only sandboxed apps are the ones from the App Store—Signing is
orthogonal to sandboxing. Even signed apps that you get from anywhere other
than then App Store aren't sandboxed.

~~~
comex
You can sandbox non-App Store apps the same way as App Store ones, you're just
not forced to. And so developers don't.

------
spitfire
Funny, I always thought this was supposed to be a feature. It remembered your
authentication for a few minutes after using sudo. I assumed it was part of
the OSX auth system and would forget if you locked the screen.

~~~
gosukiwi
Yeah I was thinking the same thing, probably that is why they ship those
defaults, better UX.

~~~
marcoamorales
Don't call a security flaw a UX feature please.

~~~
quesera
Passwords are both security flaws and UX features -- they're inherently
flawed, cannot be fixed, and are the only authentication system most people
can use successfully.

Security is always in tension with usability.

~~~
chadzawistowski
I think the flaw marcoamorales intended to point out is how sudo doesn't
always re-prompt for a password.

------
X-Istence
And this is a good reason to lock sudo down to a single application that is
allowed to be run. In my case I only allow su for my user. Now even if an
attacker were to try and use sudo they would also have to know that they can
only use su, and most automated attacks will fail.

~~~
eeZi
They'd just have to "sudo -l". No logging of executed commands either, that
way.

------
nbevans
Apple is going through the same awkward phase as Microsoft did with WinXP.
Except unlike what Microsoft did, Apple has not started a decisive internal
process to change things for the better.

~~~
pluckytree
How do you know this to be the case? Just curious.

------
brobinson
Is there some kind of advantage to this option not being set by default?

~~~
lisper
Sure, it makes things more convenient. Convenience and security are always a
trade-off.

~~~
adamnemecek
The parent comment was probably asking about some specific advantages.

~~~
eikenberry
Convenience is a specific advantage. It also is a great boon when you are used
to working in multiple terminals or are running a lot of remote sudo commands
over ssh (say testing an ansible setup).

------
code_sterling
Beware of sudo, always, everywhere. Seriously.

