Remove insecure root 'grace period' from sudo

Whenever you authenticate on the system, a program called sudo is called to give your application or shell root privileges. Unfortunately, sudo includes a 'grace period,' wherein it will allow you to run privileged tasks repeatedly without a password. This presents a problem in OS X, where another application (such as a widget) could hijack your privileged access after you authenticate for some unrelated task (see this thread on macosx.com for more information about this particular vulnerability).

Fortunately, the grace period can be removed so that you will have to type your sudo password every time you want to perform a privileged task. This makes for a much more secure system, preventing other applications or widgets from being able to hijack this access. Simply add this line to your /etc/sudoers file:

Defaults:ALL timestamp_timeout=0

[robg adds: To edit the sudoers file, you'll need to use a special program called visudo, which must itself be run as root via sudo (got that?). So just type sudo visudo, and edit away (it's a version of vi).]

From our Sponsor...

The macosxhints Poll

iPad_poll_#1

Remove insecure root 'grace period' from sudo | 22 comments | Create New Account

Click here to return to the 'Remove insecure root 'grace period' from sudo' hint

The following comments are owned by whomever posted them. This site is not responsible for what they say.

Remove insecure root 'grace period' from sudo
Authored by: kokaviel on Wed, Jun 1 2005 at 11:10AM PDT

visudo just does some sanity checks before it writes to disk. If you happen to not know vi, you can just edit it with emacs, pico, etc. Just don't do anything crazy, and make sure you keep a backup in case you end up making a mistake and need to revert.

not using visudo
Authored by: hayne on Wed, Jun 1 2005 at 12:46PM PDT

Note that if you don't use 'visudo' and you introduce a syntax error into the /etc/sudoers file, you will need to resort to single-user mode to fix it since 'sudo' will not work if there is a syntax error in the /etc/sudoers file

visudo & other editors
Authored by: vykor on Wed, Jun 1 2005 at 12:53PM PDT

The version of visudo on Panther is compiled with with an enveditor option that obeys the EDITOR variable in the shell. Set visudo to use emacs (or whatever editor) as the default by exporting a new EDITOR variable.

As an emacs guy, I've always done this in emacs. All the benefits of visudo, without the syntax of vi.

Remove insecure root 'grace period' from sudo
Authored by: thype on Wed, Jun 1 2005 at 11:34AM PDT

The following should be added under defaults as well...

Defaults tty_tickets, insults, requiretty

This forces each tty instance to require a separate ticketed instance of sudo. Drop the shell and sudo removes the ticket, disallowing access until a new authentication takes place.

Remove insecure root 'grace period' from sudo
Authored by: greed on Wed, Jun 1 2005 at 11:57AM PDT

Once the grace period is zero, there is really no concern about TTY tickets--you're going to have to enter the password each time anyway, regardless of which TTY you're on.

requiretty prevents someone from using sudo through a program that doesn't allocate a controlling terminal, like "ssh hostname command". Since background programs [usually] don't have controlling TTYs, that prevents them from using sudo at all--even prompted... of course, without a TTY, there's nowhere to prompt, and you've set ticket lifetime to zero, yes?

insults is a critical security feature. It belittles the operator for entering a bad password, and thus encourages use of the correct password each time sudo is used.

Remove insecure root 'grace period' from sudo
Authored by: thype on Wed, Jun 1 2005 at 12:44PM PDT

Yes insults does not really need to be there. I just did a copy paste of what my servers have set.

I tested this, and since the tty_tickets and timestamp_timeout=0 are set as defaults, some installs have asked me to login multiple times.

This may have been due to the way the installs worked, but without the above, running sudo once allows any tty access to the same ticket of authority and can keep it open as long as it wants, or until the process is killed.

I am of the belief this works in the same fashion as any *NIX OS, less I am wrong.

Remove insecure root 'grace period' from sudo
Authored by: greed on Wed, Jun 1 2005 at 3:16PM PDT

By default, you've got "timestamp_timeout" amount of time from a password prompt to invoke "sudo" again without being prompted for a password.

With "tty_tickets", you're ticket is only good on a single TTY, if you change TTYs but are still within the timeout period, you'll have to type your password.

So, by setting "timestamp_timeout" to 0, you must always enter a password, even if you do two sudos in a row on the same TTY:

sudo true ; sudo true

tty_tickets isn't much help in securing things, because all Cocoa/Carbon apps run under the same TTY ("console"). So the only way to prevent something from taking advantage of you authenticating an installer is to clear the timeout and key the password multiple times instead.

It Would Be Nice if you could set up timestamp_timeout on "console" to 0, but keep it at several minutes for /dev/tty*, so that your Terminal.app, xterm, iTerm.app, and so on windows work as usual.

And yes, this is all standard-on-all-UNIXes behavior of sudo. The unusual thing is the way Apple has automatic sudo in several spots in the GUI. (And I'll give them credit for just using sudo, rather than inventing yet another tool for the job. Though it did expose the timestamp_timeout risk in a way that most sudo-ers don't anticipate--I've tightened up sudo on all my systems as a result.)

[ Reply to This | # ]

Remove insecure root 'grace period' from sudo
Authored by: thype on Wed, Jun 1 2005 at 4:04PM PDT

THANX for the clarification.

I was thinking about that after, and found noway to differentiate timeouts for console. There is software to handle this, but nothing that works well, or securely.

Remove insecure root 'grace period' from sudo
Authored by: sheepmaster on Wed, Jun 1 2005 at 11:57AM PDT

Um, sudo doesn't drop the ticket when you exit the shell (it doesn't even run at this point).

But nevertheless, the tty_tickets option should be sufficient to disallow a malicious widget to run as root without losing the comfort of only having to authenticate about every 5 minutes.

On a side remark, even with the sudo security issue solved, a malicious widget could still do quite some damage, like removing your home directory, so you should still be careful about which widgets you install.

Remove insecure root 'grace period' from sudo
Authored by: greed on Wed, Jun 1 2005 at 3:19PM PDT

The problem with just using tty_tickets is that everything in the GUI is under "console", except for terminal-type windows.

So authenticating an installer (for example) will still open you up to a malicious widget, as they're both under "console".

(And yes, your user data is always at risk from something you run.)

`sudo -k`
Authored by: lullabud on Wed, Jun 1 2005 at 1:06PM PDT

Issuing <code>sudo -k</code> will expire the timeout rather than waiting for the grace period to actually time out. This is another solution that may work better for you, depending on your needs.

`sudo -k`
Authored by: maintain1 on Wed, Jun 1 2005 at 5:19PM PDT

If you are using bourne shell then a file in your home directory called .logout with a line sudo -k in it will work.
.bash_logout is the name for the bash shell.
This will only work if the scripts use exit at the end of them.

`sudo -k`
Authored by: NovaScotian on Thu, Jun 2 2005 at 2:33PM PDT

This hint is particularly useful from AppleScripts - i.e.


do shell script "sudo pmset spindown 0 dim 0" password myPW with administrator privileges
-- then your other stuff,  but ending with
do shell script "sudo -k"

`sudo -k`
Authored by: ringo999 on Tue, Sep 27 2005 at 9:46AM PDT

isnt it a bit "stupid" to save your password in plain text in a script? this is what sudoers is for. I enabled my user i.e. the pmset command with the NOPASSWD feature.

Redirect sudo logging
Authored by: ChrisAllison on Wed, Jun 1 2005 at 5:05PM PDT

Another sudo config that is a good idea is redirecting sudo's logging. Add the following to /etc/sudoers (as stated above, please edit this file with visudo, there is good reason to do so, and no reason not to):

Defaults:ALL    !syslog
Defaults:ALL    logfile=/var/log/secure.log

The above redirects sudo logs to /var/log/secure.log (rather than the default, /var/log/system.log), which can only be read using sudo/by root, as opposed to /var/log/system.log, which can be read (without sudo) by anyone in the admin group.

Changing logging will ensure that if you don't set timestamp_timeout to 0, malicious applications can't monitor system.log to see when a sudo session is authenticated (to try and piggy-back onto it).
A good write up of this can be found at http://adbas.net/OSX_Vuln.txt (I have no connection with this site).

Oups :/
Authored by: peeloo on Thu, Jun 2 2005 at 3:26AM PDT

I've got a syntax error after editing in sudoers file with this syntax :/

How can I correct this error or come back to my "insecure and error-free" environment?

Oups :/
Authored by: jzdziarski on Thu, Jun 2 2005 at 8:08AM PDT

Probably need to boot into single user mode and fix it.

Remove insecure root 'grace period' from sudo
Authored by: chucky23 on Fri, Jun 3 2005 at 8:24PM PDT

Is there a downside to removing the grace period?

My inquiry is especially about whether or not there is any downside to doing this from a GUI user perspective. (I spend very little time in Terminal.)

- Will installers that need to be authenticated choke?
- Are there any other potential problems?

Remove insecure root 'grace period' from sudo
Authored by: hunty on Tue, Sep 27 2005 at 11:13PM PDT

Doing this hint makes some programs that rely on the grace period to fail. for example carbon copy cloner 2.3 does not work if you have performed this change. it gives an error about requiring a tty to perform sudo.

Cheers,

calum

Remove insecure root 'grace period' from sudo
Authored by: michab on Tue, May 15 2007 at 9:58AM PDT

you can type "sudo -k" to set the timestamp to 0, or type "sudo -K" to remove the timestamp completely.

Remove insecure root 'grace period' from sudo
Authored by: covisp on Thu, Jun 19 2008 at 5:46AM PDT

Just a quick note, 'visudo' is not a version of vi and has nothing to do with vi. The command is simply a syntax checking wrapper that uses whatever EDITOR you have set. That might be vi, or nano, or emacs, or perhaps even BBEdit. Makes no difference to visudo.

---
http://www.covisp.net

Remove insecure root 'grace period' from sudo
Authored by: outer on Sun, Dec 13 2009 at 5:52AM PST

Why does 'ALL' need to be specified? Isn't 'ALL' the default?

Hint Options

Search

From our Sponsor...

User Functions

What's New:

Hints

Comments last 2 days

Links last 2 weeks

What's New in the Forums?

The Editor's Corner...

Hints by Topic

News from Macworld

The macosxhints Poll