Archive

Archive for September 21, 2016

tty_tickets option now on by default for macOS Sierra’s sudo tool

September 21, 2016 1 comment

While working on some documentation, I noticed a behavioral change in macOS Sierra’s sudo tool that was different from how sudo behaves on OS X El Capitan.

El Capitan

if you run sudo in one Terminal session and authenticate with your password, then open another Terminal session and run sudo, you won’t be prompted for your password in either Terminal session until the normal sudo authentication timeout. To see what this behavior looks like, please see the video below:

Sierra

If you run sudo in one Terminal session and authenticate with your password, then open another Terminal session and run sudo, you’ll get asked for your password in the second Terminal session too. Meanwhile, in the first Terminal session, you won’t get prompted again until the normal sudo authentication timeout. To see what this behavior looks like, please see the video below:

The difference is that Apple has compiled sudo on Sierra to include the tty_tickets option, which ensures that users need to authenticate on a per-Terminal session basis.

Screen Shot 2016 09 21 at 3 06 19 PM

 

This option had not been included in sudo on OS X El Capitan and earlier, which had been viewed as a privilege escalation vulnerability.

If you want sudo to return to using the pre-Sierra behavior on macOS Sierra, edit /etc/sudoers to add the following option:

 

Screen Shot 2016 09 21 at 2 25 38 PM 

macOS Sierra’s /Volumes folder is no longer world-writable

September 21, 2016 14 comments

One of the changes made in macOS Sierra is summed up by my colleague @n8felton below:

/Volumes is the invisible directory used by OS X and macOS as the OS’s default mount point for accessing the filesystems of other storage (like external hard drives, USB flash drives, mounted disk images, network fileshares, etc.)

Sierra 2016 09 21 at 8 56 48 AM

Up to OS X El Capitan, the /Volumes directory was world-writable and had the following permissions:

ElCap 2016 09 21 at 11 20 51 AM

ElCap 2016 09 21 at 11 21 07 AM

This meant that any process or user could create a directory inside /Volumes or store files there.

 

World-writable directories are generally seen as a security risk, which may explain why Apple chose to change the permissions on the /Volumes directory. As of macOS Sierra, the permissions on the directory are as follows:

Sierra 2016 09 21 at 8 57 11 AM

Sierra 2016 09 21 at 8 56 42 AM

 

This change means that the /Volumes directory is readable by anyone but can only be written to by processes using root privileges.

This permissions change should not affect the system’s ability to mount storage devices or fileshares from network servers, as the OS itself is the one handling the mounting and has all the necessary permissions.

%d bloggers like this: