Breaking In to Mac OS X

When Apple designed Mac OS X, they wisely chose to disable the root account. There is no way to “log in” as root on a stock OS X client. Apple also has wisely disabled all remote access by default. There are no back doors or cool server features enabled by default. If you want to be a server, you have to turn that on. But Apple’s security appears to be akin to the Roman defensive structure: heavily arm the border, but leave the interior unprotected. It works, as long as no one gets through the border. But once they break through, there are some relatively simple ways to gain root access.

In order to perform root tasks, a user must first be authorized to perform root tasks. That is, they must be an “administrative” user. By default, the first account you create on a Mac OS X system is an administrative user. Second, the person at the terminal must know that user’s password. No one can come up to your computer, request root access, and get it, without knowing your password. Or, at least, that’s the way it is supposed to work.

Gaining root access allows a hacker to do whatever they want on your computer. They can erase not only your files, but everybody else’s files as well. They can set up root servers on your Mac and use it to spread spam, viruses, and worms to other computers. They can set themselves up so that it is very difficult to remove them without re-installing everything from scratch.

One very simple way of avoiding many, if not most, of these attacks, is to not use the administrative account for general work. If your account is not an administrative one, then no amount of invisible scripting can give a hacker access to root, because you do not have access to root. On those rare occasions when you do need root access, you can log out, log in as your administrative account, and do your work. This will vastly reduce your vulnerability to hacking.

Create a new Admin account

If you use an administrative account as your regular login account, anyone with a few seconds of access to your computer can create a new administrative account. By default, whenever you log in the “Accounts” system preference is unlocked. If you lock it, it will unlock if you log out and log back in again. (Verified in 10.2, and verified that it is unlocked by default in 10.3.) This makes it trivially easy for someone who has a few seconds of access to your computer to add a new, administrative account that they will then be able to access from anywhere on the net.

It wouldn’t surprise me if this could be scripted with applescript’s UI scripting.

  • Do not use your administrative account as your regular login account.
  • Do not leave your computer unattended while you are logged into an administrative account.
  • Bug Apple to lock the Accounts system preference just like they lock other administrative preferences.

Password Guesses

Obviously, if someone can guess the password for the administrative account, they can get root access by coming up to the computer and using it. Any administrative account should have a very difficult password, and that password should never be used in an insecure setting.

This is especially true if you enable any remote services in the “Sharing” system preference. Once you enable “FTP Access”, “Remote Login”, or any other service that allow remote users to do things on your computer, remote users who have your password have access to your computer from anywhere on the net.

Your password should not be written down except perhaps in a locked place. And it should not be any permutation of your name, a family member’s name, a lover’s name, a date, or your pet. It should not be anything that could be guessed in, say, a hundred or a thousand tries by someone who knows who you are, who you hang out with, or who simply has access to a dictionary. The guessing will be done by a computer, and computers are good at that kind of guessing.

  • Use a reasonably unguessable password for your administrative account(s).
  • Never use that password with FTP.
  • Do not use that password for any other service, especially for any other service that does not use secure connections or that stores the password in a manner that allows them to send it to you later when you forget it.
  • Do not write this password down without keeping it in a very safe place separate from your computer.
  • Do not turn on remote access services (such as FTP, remote login, etc.) unless you need them.
  • If you only need remote access from specific computers, consider purchasing or downloading a firewall. It can be software or hardware. If you have a wireless base station of some kind, for example, it may have a firewall built in. Learn how it works.
  • Bug Apple to provide an easy to use firewall that lets you limit access to specific networks or hosts.

After Authentication

All of those padlocks in your system preferences are there to display whether or not you are allowed to change things that normally only root can change. They should be locked by default.

For example, the “Sharing” tab is often unlocked. If the sharing tab is unlocked, a hacker with physical access to your computer can come in, quickly enable “Remote Login” and “FTP Access”, and then do the rest of their hacking from somewhere else.

You should keep your padlocks locked unless you are in the process of making changes.

  • Lock your lockable preferences. Check “Accounts”, “Network”, “Sharing”, and “Startup Disk” at the very least.
  • Check “Activation” in “Screen Effects” to see if you have your screen effects set to turn on after a short time, and that you have it set to require a password after you’ve been away from the computer for five to ten minutes.
  • Bug Apple to automatically lock lockable preferences after a set period of time by default.

Waiting for sudo

If you use the terminal or secure shell (by turning “remote login” on), and you use sudo, sudo becomes enabled for five minutes from anywhere on your system. If you leave a terminal session (“remote login”) running from somewhere else on the network, and someone else finds it, they can hold that session open until you shutdown (not logout) your computer. And then wait for you to use sudo. Once you use sudo, they can use sudo without knowing your password as long as they use it within five minutes.

Other ways to take advantage of the sudo hole are by somehow running software on your computer: put a piece of software running in the background, or put something in your “crontab” file that will automatically run every, say, three or four minutes.

Putting this software on your computer can be done if they have physical access while you are logged in. No password is required. But it can also be done if there are holes in other software that you use. For example, the infamous URI hole that Apple has just recently fixed as I write this allowed anyone to write software to your computer simply because you browse the web. It was completely automated and did not require you to do anything except happen to visit a web page that included this invisible trick.

Any hole that allows external users to write or choose, and then run, programs on your computers will likely allow them to take advantage of waiting for sudo.

For example, you do not need to be root to do the following to your currently logged in account:

  1. crontab -l > /tmp/cfx
  2. echo "*/3 * * * * /usr/bin/sudo /usr/bin/touch $HOME/Desktop/ownedyou" >> /tmp/cfx
  3. crontab /tmp/cfx

Now, within three minutes of your using sudo, you will see a file called “ownedyou” sitting on your desktop, created by root. This could, of course, have run any program as root.

Of course, this will also generate a lot of e-mail to your account for all the times that it failed: one mail message every three minutes. But by default outgoing e-mail is disabled on Mac OS X. All of those warnings will pile up and be ignored.

  • Keep your system software up to date with SoftwareUpdate.
  • Don’t leave terminal sessions open.
  • If possible, don’t use an administrative account for general use.
  • If at all possible, don’t use administrative accounts to log in from other computers. If you use an administrative account on your desktop, make a non-administrative account for remote logins.
  • Log out when you don’t need to be logged in.
  • Shutdown your computer when you aren’t using it.
  • Don’t leave your computer unattended without requiring a password.
  • Enable outgoing e-mail if and only if you feel technically comfortable with it.
  • Bug Apple to make sudo require a password per session, not per user.
  • Bug Apple to enable outgoing e-mail by default, even if it is only allowed to send to itself, and have Mail pay attention to it.

Automatic startup items

Mac OS X is set up so that different areas of the computer belong to different levels of access. For example, items that are in /System/Library/ are root, and generally will run as root. Items in /Users/USERNAME/Library/ are for that particular user, and generally will run as that user (if they run at all).

But there is a middle ground that is accessible by each user and at the same time occasionally runs as root. This is /Library/, which is meant for items that are user installed but usable by any user on the system. By default, /Library/ is writable by anyone in the admin group, and by default your account is admin—it’s an administrative user.

Under at least some circumstances in 10.2, even if you later add a new administrative user and remove administrative access from your main account, that account is still in the Unix-level admin group. It still has write access to /Library/. I think that this has been fixed in 10.3.

One of the folders that can go in /System/Library/ and /Library/ is “StartupItems”. StartupItems contains scripts that run when the computer starts up. These scripts run as root.

If you’ve made it this far, I think you see where I’m going with this.

To their credit, Apple appears to be fixing this. They are moving away from using /Library/StartupItems in favor of a folder (/etc/mach_init.d) that is writable by root only. And /Library/StartupItems are ignored by default on Mac OS X Server 10.3. But as it currently stands, if someone otherwise gains access to write to your Mac OS X Client computer (as with the recent URI exploit), they probably have the ability to get root access the next time you start up your computer. No password required.

Note that I’m using StartupItems as an example because I know about it. The real problem here is that Apple has trusted a group-writable part of the OS as something that can run software as root. There may be other places in /Library/ or in other parts of the OS that are also vulnerable.

  • When you set up a new computer, always set up a non-administrative account immediately as your real account.
  • Keep your system software up to date with SoftwareUpdate.
  • Don’t leave your computer unattended without requiring a password.
  • Don’t leave terminal sessions open.
  • Create a folder called “StartupItems” in your /Library/ folder, and make sure that your normal account cannot write to it.
  • Bug Apple to either make /Library/ not writable without authentication, or to make items in /Library/ run as a safe non-root user (probably not nobody).

Single User Mode

This one takes more time, and requires physical access to your computer. It can't (I hope) be done over the net because no net-related exploit can stick a CD/DVD into your CD/DVD drive or hold down the CMD-S keys, and if they did, well, that would break the net connection. However, if someone can reboot your computer, they can get root mode and set up whatever they want. The only caveat is that if they attempt to change your password you'll know it. But since they'll be able to set up their own admin account or simply enable root, they won't have to change your password.

I hesitate to list this one, as it is not quick, it is generally going to be obvious (i.e., if they change your password, you'll no longer be able to log in), and I don't believe Apple can do much to fix it without turning many people's computers into very expensive paperweights. But if you are comfortable setting a separate password for you to fix a forgotten administrative password, you can disable the ability to boot from a CD or other external drive, or into single user mode, without also knowing a password. Use the "Open Firmware Password" utility from Apple's support web site to set up a password against such actions. Just remember that the password applies to you as well. If you forget that password, you will need to get down and dirty to disable it.