Giters

SAP / macOS-enterprise-privileges

For Mac users in an Enterprise environment, this app gives the User control over administration of their machine by elevating their level of access to Administrator privileges on macOS. Users can set the time frame using Preferences to perform specific tasks such as install or remove an application.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Temporary admin rights can be prolonged undefinitly with sudoers.d/ entry

angrox opened this issue · comments

commented

Description

After using the Privileges app once, the status of the app (locked/unlocked) can be bypassed using a entry in sudoers.d/ directory.

Prerequisites

/etc/sudoers contains a line to include the sudoers.d directory (default in MacOS Sonoma and below)
#include /etc/sudoers.d

Bypass Example

  1. Enable Admin mode

PrivilegesCLI --add
User user1 has now admin rights

  1. Create an entry in /etc/sudoers.d:

sudo cat << EOF > /etc/sudoers.d/user1
user1 ALL = (ALL) NOPASSWD:ALL
EOF

  1. Remove Admin mode

PrivilegesCLI --remove
User user1 has now standard user rights

  1. Check sudo permissions

sudo -l
[...]
User user1 may run the following commands on machine1:
(ALL) NOPASSWD: ALL

  1. Check root access (without password)

sudo whoami
root

The user user1 has now unlimited administrative access.

Possible solution

Config option to allow/disallow sudoers.d entries, or a list of configured entries

commented

There are a thousand ways how a user get privilege persistence once admin rights are available (LaunchDaemons, cron entries, Privileged Helper Tools, specialized apps), so this would be an endless game of cat and mouse...
That problem would be better handled by "Service Configuration Files" coming from your MDM (see https://support.apple.com/en-ca/guide/deployment/depdac2c8d89/web), as well as automated monitoring of privilege escalations with another tool.