20 January 2007

BOM Shelter: MoAB 5, 8, 15 Permissions Fix

Mac OS X, and a number of programs by third parties, have some risky permissions by default. I’ve taken the work I did a couple weeks ago and updated it to cover over more of these problems (MoAB days 5, 8, and 15). It also has a new more clever name: bom-shelter.py (sig)

To get this script, simply save the bom-shelter.py link to your disk.

To verify the script you get is one I wrote, you can download the signature and gpg --verify bom-shelter.py if you happen to have GnuPG installed and have a reason to trust my public key (0x4185664C).

To use this script, you must, from an admin account, run sudo python bom-shelter.py in Terminal, iTerm, or some other reasonable equivalent.

This script does the following for each of the MoAB advisories listed above:
#5: The permissions on BOM files are made more secure and /Library/Receipts (and important descendants) get a sticky bit to prevent shenanigans.

#8: /Library/Frameworks gets a sticky bit to prevent potential adversaries from being able to replace components that Application Enhancer runs as root inside Application Enhancer.framework.

#15: The three setuid root programs that can be overwritten by members of the “admin” group in /Applications/Utilities mentioned in the advisory are changed to not be “admin”-writable. This is also done to /Applications/System Preferences.app/Contents/Resources/installAssistant which has a similar vulnerability.

For all of these things, the script also edits the BOM files in /Library/Receipts to ensure that if you “repair permissions” on your disk these vulnerabilities will not reappear. The BOM file format is not very well documented so these edits may or may not work for you, but they should not corrupt the file. The editing function is careful to only change values if they are what is expected, otherwise it’ll print a warning and not make a change. Backup versions of your BOM files are saved as part of this process.

If you happen to have Application Enhancer installed, in order to secure your machine with Landon Fuller’s awesome MoAB Fixes or any other reason, please take the time to secure /Library/Application Enhancers outside your home directory and ~/Library/Application Enhancers inside your home directory. Malicious code can write things there without your permission and if Application Enhancer uses those patches without asking you, it might make you sad.

10 comments:

Anonymous said...

"please take the time to secure /Library/Application Enhancers outside your home directory and ~/Library/Application Enhancers inside your home directory."

Please explain how to do this. Thanks.

wac said...

/Library/Application Enhancers can get the normal sort of treatment:

sudo chmod +t /Library/Application\ Enhancers
sudo chmod -R go-w /Library/Application\ Enhancers

~/Library/Application Enhancers is a trickier problem. This stems from the fact that the directories above it are owned by your account, which may not always be trustworthy. So those permissions need to change to something like...

rwxrwxr-t root:YOURUSER ~
rwxrwxr-t root:YOURUSER ~/Library
rwxrwxr-t root:YOURUSER ~/Library/Application Enhancers

We'll do InputManagers too while we're at it since those can also do crazy things.

sudo chown root:$USER ~ ~/Library ~/Library/Application\ Enhancers ~/Library/InputManagers
sudo chmod 1775 ~ ~/Library ~/Library/Application\ Enhancers ~/Library/InputManagers

Thanks for bringing this up, I should get it added to bom-shelter.

wac said...

Looks like I was up too late last night, because I left a little bit out there... you also need to:

sudo chmod 1755 ~/Library/Application\ Enhancers ~/Library/InputManagers

This prevents you from adding things to these folders if you're not root first. This makes installing APEs and input managers a lot less convenient, but it also gives attackers one less place they can insert executable code that's guaranteed to run.

Anonymous said...

The GPG public key file you linked to, above, doesn't appear to contain the key which your Python script is actually signed with (6A3140CF). I was able to get the 6A3140CF key from a public key server though.

Anonymous said...

hey, could you please post a script (or some commands) that changes all permissions back. I used the python script and some lines from the comments thinking it would do no harm (I was thinking it would make me ask for permissions when installing an new app). The problem is that no app can access my preferences anymore (doesn't sound bad, but it means allmost no apps run anymore). I'm even having trouble moving all files to a different computer since SAMBA doesn't work anymore (I'm tar'ing and ftp'ing them at the moment). I'm sorry I'm so ignorant and I've should've looked at the python script. (I have looked now and I saw the part that prevents "repair all permissions" from restoring the changes...) Thank you very much...

wac said...

"The GPG public key file you linked to, above, doesn't appear to contain the key which your Python script is actually signed with (6A3140CF). I was able to get the 6A3140CF key from a public key server though."

It's in there it's a subkey.

wac said...

"hey, could you please post a script (or some commands) that changes all permissions back. I used the python script and some lines from the comments thinking it would do no harm (I was thinking it would make me ask for permissions when installing an new app). The problem is that no app can access my preferences anymore (doesn't sound bad, but it means allmost no apps run anymore)."

You must've done something a little different than what I laid out here, or you are somehow not a member of the group that has the same name as your login id.

You'll need to provide more information like the output of "id" and "ls -ld ~ ~/Library ~/Library/Preferences" in order for anyone to provide effective help for you.

Anonymous said...

Thanks for commenting, here's the output of the commands:

id : uid=501(Bob) gid=501(Bob) groups=501(Bob), 81(appserveradm), 79(appserverusr),80(admin)

I had to execute the next command as root (I don't really know how it works but I suspect the output means my Library and Preferences are only read-write-removable by root?)

sudo ls -ld ~ ~/Library ~/Library/Preferences :
drwxr-xr-x 109 root Bob 3706 Jan 22 21:37 /Users/Bob
drwx------ 43 root Bob 1462 Nov 14 09:48 /Users/Bob/Library
drwx------ 486 Bob Bob 6324 Jan 23 07:30 /Users/Bob/Library/Preferences

I guess by now you have figured out my name is bob and if you were wondering why it took me so long to reply: I'm UTC+1. I think I have to chmod these directories, but I don't know what code to use because my unix command line knowledge is limited to basic commands (just enough to untar and compile code ;))

Do you happen to know of a good book to learn UNIX stuff? I don't think it has to be specific to os x, any linux or *bsd book'll do.

Thanks again,
bob

Anonymous said...

When securing my home directory, I'm finding that making it group writeable stops sshd from allowing access via authorized key. I'm not finding any way to override that behavior by sshd. I wonder if there's any way around this problem.

I actually don't even have either an APE or InputManagers directory in my ~/Library , but I suppose that doesn't help.

Thanks for any solution.

Dan

Joel said...

Thanks for doing this work, wac.

Bob's comment made me wonder if the results of this script might mess things up for users who do not run as admin. I'm probably wrong because the output of 'id' when I'm logged in as my standard user is
uid=501() gid=20(staff) groups=20(staff)

(deleting my username for security)

and the output of my admin user's 'id' command is

uid=503() gid=20(staff) groups=20(staff), 79(appserverusr), 80(admin), 81(appserveradm)

which looks like Bob's output as well.

I'm also with Bob in my ignorance of the Unix command line. I think I know a little more, but not much :(

Any chance you could illuminate the meaning of the following strings:

root:YOURUSER in the string 'rwxrwxr-t root:YOURUSER'

(I understand the rest)

and

root:$USER in the string 'sudo chown root:$USER'

?

No idea even where to find these if I try to RTFM. I do get the basic idea of a user and a group, just can't quite figure out how those relate. (Does $USER in the above mean that the group ownership of the relevant file/directory gets changed to the current user's gid? And if that user is root, since we're using sudo, does it change the group to wheel? admin? Am I suitably confused yet?)

It's more convenient (but not necessary) to be able to install software -- at least into /Applications by drag'n'drop -- in the context of my standard (non-admin) user. Does bom-shelter (or the additional commands listed in the first couple of comments) make that impossible?

Finally, sorry if I'm being completely stoopid about this. Feel free to tell me so.