sudo command on MacOS Sierra does not respect timestamp_timeout - shell

After upgrading to MacOS Sierra (10.12), my sudo command seems to be acting differently. See the following test case:
# Run in terminal pane #1: (should prompt for password)
sudo -v
# Run in terminal pane #2: (should NOT prompt for password)
sudo -v
The above works as expected on earlier versions of OS X. However, on Sierra, the second command prompts for the password again. It does not prompt for the password within the same terminal pane. This seems to only happen for the root user; the following works as expected on all OS versions including Sierra:
# Run in terminal pane #1: (prompts for password)
sudo -v -u "$USER"
# Run in terminal pane #2: (does not prompt for password)
sudo -v -u "$USER"
Looking at /ect/sudoers, the timestamp_timeout value is not set to 0. I've briefly looked over the changelog for 1.7 to 1.8 but could not come up with anything significant other than there being a mention of a policy plugin for Sierra when running sudo -V.
Can anybody help me figure out what has changed? I have a script that relies on the sudo timeout value for a keepalive and on Sierra it is prompting for the password constantly since it seems to no longer use a timestamp for the root user.

After a ton of searching and comparing the sudo configuration on older OS versions to Sierra's (sudo su; sudo -V), it seems that Sierra enables tty_tickets by default now, causing the issues mentioned above. As far as I can tell, this was an undocumented change. To fix, the following needs to be added to the /etc/sudoers file via running sudo visudo,
Defaults !tty_tickets

TLDR; BAD IDEA. This old behavior, while an option to sudo, is used as a default by NO OTHER UNIX-y OS that I have ever encountered. The reason being that it's trivial to exploit, and when exploited, the malignant code doing so will have full control of your system.
Original very long rant-y post, correctly pointed out to be blahdiblah:
LOL, this is funny. I came here from googling because I couldn't remember how I would change the old behavior to this new, correct one (used by every other UNIX-y OS out there). Hadn't even noticed my new Sierra Mac now behaved properly.
I wrote on the Mac forums earlier about this previous behavior which is a gaping security hole. I even supplied a three-line proof-of-concept script that would simply sit around (as a regular user) waiting for a sudo event to appear anywhere, then instantly gain root access to the system. I was booed out of the thread by the fanboys, then got banned from it from calling out lies. Seems Apple were listening, though. Good job, for once, Cupertino. Bad, BAD idea to try to get the old behavior back.
For reference, here's the three-liner. It doesn't do anything malignant, just adds a dummy file to the root of the filesystem once gaining sudo. Run it in a script (or just paste it somewhere which doesn't already have sudo), then either do a sudo in another terminal app/window or app which uses sudo (e.g. TrueCrypt/VeraCrypt or similar), then watch it work.
tail -f -n 0 /var/log/system.log | grep -m 1 -E 'sudo\[[0-9]+\]:\s+'$USER
echo "Gonna play around with root privs ..."
sudo touch /kilroy-was-here

Related

SSH login mac-to-mac

I have an iMac that I use somewhat as a server, and a Macbook laptop. For months I've opened a terminal on my laptop, typed "ssh user#host" (with more useful choices for 'user' and 'host', and was promptly rewarded with a "Password:" prompt, then the normal '$' prompt. Today it doesn't give me the $ prompt aftr a correct password. As a test, I gave an invalid pssword, and was rewarded with another prompt for password. The final test was to open the Terminus app on my iPhone, and got immediately to the $ prompt.
What might be the problem here, and where do I look first for a solution?
The first thing to try is:
ssh -v user#host
to get verbose messages.
If you have recently upgraded the server to macOS Ventura and you used to use RSA keys, you will probably need to log into the server and edit /etc/ssh/ssh_config and add the following two lines at the end since Apple tightened up security to disallow that older, relatively less secure method:
HostkeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa

curl command in git-bash

I have a script written in bash and tested working in Linux (CentOS 7) and on MacOS. The script uses cURL to interact with a REST API compliant data platform (XNAT).
I was hoping that Windows users could use the same script within git-bash that comes packaged with Git for Windows. Unfortunately there seems to be an issue when using cURL in git-bash.
The first use I make of cURL is to retrieve a JSESSION cookie:
COOKIE=`curl -k -u $USERNAME https://theaddress/JSESSION`
On Linux, this asks the user for password and stores the cookie in COOKIE.
In git-bash, issuing the command hangs, until using a "ctrl + C" to interrupt it. Strangely at that point the query message for the password is displayed, but too late, the script has terminated.
I have a suspicion that this may have to do with CR or LF issues, but cannot find some info I understand regarding this.
Any pointers would be welcome !
Thank you
EDIT:
It appears the above command works fine if I pass the password in the command like this:
COOKIE=`curl -k -u $USERNAME:$PASSWORD https://theaddress/JSESSION`
However, as pointed here:
Using cURL with a username and password?
I would rather avoid having the user typing their password as a command argument.
So the question is now "why is cURL not prompting for a password when I use the first command?" when in git-bash on Windows, while that command behaves as expected in Linux or MacOS:
COOKIE=`curl -k -u $USERNAME https://theaddress/JSESSION`
Ending up replying to my own question, hope this may be useful to someone else.
It appears this issue is a known problem when running cURL from within git-bash, according to this thread:
https://github.com/curl/curl/issues/573
In particular, see the answer of dscho on 30 Dec 2015:
The problem is the terminal emulator we use with Git Bash since Git for Windows 2.5, MinTTY.
This terminal emulator is not associated with a Win32 Console, therefore the user does not see anything when cURL wants to interact with the user via said Console.
This issue has a workaround, which is documented here:
https://github.com/git-for-windows/build-extra/blob/master/ReleaseNotes.md#known-issues
The workaround is to run curl via winpty as follows:
winpty curl [arguments]
Not an issue with CR or LF after all.
Soooo, git-bash may not be the magic-bullet (tm) to run my bash scripts in Windows with zero effort. Sigh...

Why /usr/bin/login does not fopen() /etc/shadow or /etc/passwd in OSX

I fired up opensnoop as sudo opensnoop -f /etc/shadow as well as sudo opensnoop -f /etc/passwd on my OSX Yosemite installation and then launched /usr/bin/login, typed in credentials and got a usual prompt however opensnoop never showed access to passwd or shadow. Why is that?
Apple likes to "think different". The location (and access methods) of the password hash data has changed a few times in various versions of OS X. As of 10.9 it moved to /var/db/dslocal/nodes/Default/users/(USERNAME).plist

How To add-trusted-cert on a Mac Remotely (without user interaction)

Is it possible to add a trusted certificate on a Mac OS X 10.8.3 remotely? If so, how?
My current approach is to use the command below. Can it be tweaked so that it works remotely without user interaction?
security add-trusted-cert foo.cer
When I try the command above, I get SecTrustSettingsSetTrustSettings: The authorization was denied since no user interaction was possible.
My situation: the tool I'm using executes /bin/sh -xe bar.sh on the target machine and I have control over [1] which user it executes as and [2] the contents of bar.sh which currently has security add-trusted-cert foo.cer. Unlocking the keychain first does not appear to be the answer.
The command below works but the password can be seen by another user with ps and maybe even ends up in a commmand-line history as well. If there's a better answer that avoids this problem, most likely I'll mark that one as the accepted answer.
echo "password" | sudo -S /usr/bin/security add-trusted-cert -d -r trustRoot -k /path/to/keychain /path/to/cert
I got it from http://www.bynkii.com/archives/2009/04/stupid_cert_tricks.html

How do I isolate problems with ssh-add/ssh-agent provided in the msys implementation that comes with msysgit?

I have installed msysgit: Git-1.7.8-preview20111206.exe from http://code.google.com/p/msysgit/downloads/list (Edit: I have also installed msysGit-fullinstall-1.7.8-preview20111206.exe, which conveniently installs to a different directory, and I am seeing the same problems with that instance).
And I am having a problem with ssh-agent, where ssh-add always reports: "Could not open a connection to your authentication agent."
Unfortunately, ssh-add does not give me any further details on the error it encountered. It feels like it is timing out when it tries to connect to a socket, but it does not actually admit that this is the issue, and ssh-agent acts like it is running normally. Thinking about this combination makes me suspect a permissions issue, but I have no idea where I would look to investigate that kind of problem (and I do no see anything that I recognize as significant in windows event log).
This error message baffles me: I have reason to believe that I could get this error message if my environmental variables were not set up properly, but I have reason to believe that I have my environmental variables set properly. I have reason to believe that I could get this error message if my environmental variables refer to an instance of ssh-agent which is not running, but I have exactly one instance of ssh-agent running and it matches what I see in the environmental variables. And this is repeatable. I have started (and eventually shut down) dozens of instances of ssh-agent, using techniques like ssh-agent > ~/.ssh/environment; . ~/.ssh/environment, and eval `ssh-agent` and ssh-agent bash and so on... and I cannot get msys ssh-add to connect to msys ssh-agent.
bash-3.1$ ps | grep ssh-agent
10304 1 10304 10304 ? 500 09:01:24 /bin/ssh-agent
bash-3.1$ bash -c 'set | grep SSH_A'
BASH_EXECUTION_STRING='set | grep SSH_A'
SSH_AGENT_PID=10304
SSH_AUTH_SOCK=/tmp/ssh-oAFwa11048/agent.11048
bash-3.1$ time ssh-add -L
Could not open a connection to your authentication agent.
real 0m10.730s
user 0m0.000s
sys 0m0.015s
bash-3.1$ wc /tmp/ssh-oAFwa11048/agent.11048
0 3 52 /tmp/ssh-oAFwa11048/agent.11048
bash-3.1$ cat /tmp/ssh-oAFwa11048/agent.11048; echo
!<socket >59261 060A4541-9831B739-519220DE-57936738
bash-3.1$
I am not concerned with scripting anything, just yet -- I believe that if I can get ssh-add working from the command line that I can script it...
And note also that the 10 seconds of real time that ssh-add uses happens before it issues the "Could not open..." message.
And, I am using a current version of windows 7, here. And, I also have cygwin installed, but it's not in my path when I am using msys. Task manager shows me that I only have one instance of ssh-agent running. The ssh-agent which is running is the msys ssh-agent, and was started from msysgit's bash prompt (without anything from cygwin in path). The ssh key was generated using cygwin's ssh-keygen, but superficial testing shows me that msys ssh utilities have no problem with the file. ssh-agent does not give me any error messages or warnings.
I can use cygwin's ssh-agent, but mixing cygwin and msys introduces other complexities (and you can see some of that just from my description of this issue), and I am trying to get msys working without anything from cygwin.
What do I need to do to find out why the msys ssh-add does not work? (Or: what do I need to do to get that ssh-add to work properly?)
I can't tell you much about the why's and how's, but I can tell you what I tried and what finally solved it.
In git bash:
exec ssh-agent bash
Then (in the changed shell):
ssh-add
That worked to a degree, I only had to type the passphrase once, but I lost the normal look. After some more searching I found a .bashrc script on this Github help page.

Resources