17 Oct 2011

Getting Root on OS X

There is a myth that exists that to have a root prompt on an OS X machine you need to enable the root account by performing some manipulation of the system settings that is non standard and can potentially open your systems (and especially servers) to security risks.

Yes, by default OS X ships with the root account disabled but logging in as root is still possible by the combination of 2 privilege escalating commands. 

sudo su -

sudo (perform with privilege escalation)
su (switch user) - (and switch full shell environment)

The command will give you a root login prompt indistinguishable from logging in as root in the first place and you don't need to enable the root account. You are effectively invoking a shell with root permissions but as "su -" runs all a users login scripts and other things to do with setting up your shell environment it is a lot cleaner than issuing the similar command:

sudo /bin/bash

Going Deeper
Not every user on a system can invoke these commands. *BSD is normally set up so users in the group "wheel" can use sudo and can su -. On OS X we can use trusty Workgroup Manager to investigate whether this is also the case.

Fire up Workgroup Manager and instead of logging into a server type localhost in the login window

and connect with one of the local admin accounts' credentials.

You'll be presented with the familiar Workgroup Manager window but you should be looking at the local directory of the computer that you are on. Mac OS X uses open directory for local machine accounts and we can use this familiar tool to manipulate things about the local machines' user and group structures.

Most of the accounts and groups your computer uses to keep things running are initially hidden. You can show them by using the View menu and selecting "Show system records"
Now select the groups tab in the left side bar and you will see all the groups on the local computer. Quite a lot, huh. Now you'll notice that there is no wheel group on OS X. 

So where does sudo and su - get the information about which accounts to allow to act as root?
Some information is provided by running the command sudo visudo which lets system administrators change which users and groups can run what commands as root on the computer. visudo is a special modification of vi that has syntax checking and other cool stuff for editing the /etc/sudoers file. You should only use visudo for editing /etc/sudoers.

On Mac OS X the "sudoers" file includes these lines:
# User privilege specification
root    ALL=(ALL) ALL
%admin  ALL=(ALL) ALL

So its users in the admin group that can run commands as root. Checking out the "Administrators" group (usually group 80) in Workgroup Manager shows us that its short name is "admin" (as mentioned in the sudoers file) and it should contain all the users marked as admin accounts for your local computer. In fact if you remove a user from this group the tick next to "Allow user to administer this computer" in the accounts section of System Preferences becomes unticked!

Users with benefits 
So lets use all this information about which users can escalate to root and which can't to our admin advantage. Try adding an account to the Administrators group on the local computer. There is a drop down on the pop out tray that allows you to switch nodes in the search path.

You can make any user or group of user from any server your computer is bound to a local administrator on your computer by adding them to the local "Administrators" group!

This means that if I have a bunch of users who want to be admins of the computers they log into I can make a group for them on the server, call it "Local Admins" or something, add their server accounts into it, and then add the "Local Admins" group to the Administrators group on the workstation they use. Boom, no special permissions on the server and they have full control of that machine.

Its no fun having to visit every machine to set this up, but the good news is that there is a Terminal command we can push out via Apple Remote Desktop to add the server group of our "Local Administrators" to the "Administrators" group on every workstation you want them to have access to.

The command we'll use is dseditgroup (DirectoryService edit group)

sudo dseditgroup -o edit -a localadmins -t group admin

The above command adds the "localadmins" group to the admin group on the local computer. Note you have to use the groups short names. Also note that you don't have to specify that the "localadmins" group is coming from an Open Directory server. The command looks for the "localadmins" group in the machines' search path. For more information see the dseditgroup man page

No comments: