2006-03-29

How many setuid binaries on Mac OS?

I've complained a few times about the number of setuid binaries on Mac OS. Various things that Linux manages to do via /proc, for example, Mac OS does via root-only API, and ships setuid binaries as helpers for those programs (such as Activity Monitor) that need the API nonetheless.

Here's the complete list of setuid binaries on my more-or-less default Ubuntu installation:

/lib/dhcp3-client/call-dhclient-script
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/sudo
/usr/bin/at
/usr/bin/mtr
/usr/bin/pmount
/usr/bin/pumount
/usr/bin/lppasswd
/usr/bin/fping
/usr/bin/fping6
/usr/lib/pt_chown
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/sbin/arping
/usr/sbin/traceroute6
/usr/sbin/pppd
/usr/X11R6/bin/X
/bin/su
/bin/mount
/bin/umount
/bin/ping
/bin/ping6

More than I'd like to see, and something like X seems like way too much program to be running as root. (I'm a fairly nervous type, by nature.)

My Debian box at work, which has pretty much every piece of junk in the (testing/unstable) universe installed, has a few more setuid files than that, but not many. (The only things that stick out are /usr/lib/libfakeroot-tcp.so and /usr/lib/libfakeroot-sysv.so, both of which are shared libraries, and aren't executable. Is there some meaning for the setuid bit on a shared library that I'm unaware of? Google doesn't seem to think so, so I guess it's a mistake in that package.)

Here's Mac OS 10.4.5's list. Deep breath now:

/Applications/System Preferences.app/Contents/Resources/installAssistant
/Applications/Utilities/Activity Monitor.app/Contents/Resources/pmTool
/Applications/Utilities/Keychain Access.app/Contents/Resources/kcproxy
/Applications/Utilities/ODBC Administrator.app/Contents/Resources/iodbcadmintool
/bin/ps
/bin/rcp
/sbin/launchd
/sbin/mount_nfs
/sbin/mount_smbfs
/sbin/ping
/sbin/ping6
/sbin/restore
/sbin/route
/sbin/rrestore
/sbin/umount
/System/Library/CoreServices/Classic Startup.app/Contents/Resources/TruBlueEnvironment
/System/Library/CoreServices/Finder.app/Contents/Resources/OwnerGroupTool
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent
/System/Library/CoreServices/SecurityFixer.app/Contents/Resources/securityFixerTool
/System/Library/Extensions/webdav_fs.kext/Contents/Resources/load_webdav
/System/Library/Filesystems/AppleShare/afpLoad
/System/Library/Filesystems/AppleShare/check_afp.app/Contents/MacOS/check_afp
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/PrintCore.framework/Versions/A/Resources/PrinterSharingTool
/System/Library/Frameworks/JavaVM.framework/Versions/1.3.1/Commands/update_sharing
/System/Library/Frameworks/JavaVM.framework/Versions/1.4.2/Commands/update_sharing
/System/Library/Frameworks/JavaVM.framework/Versions/1.5.0/Commands/update_sharing
/System/Library/PreferencePanes/DateAndTime.prefPane/Contents/Resources/TimeZone.prefPane/Contents/Resources/TimeZoneSettingTool
/System/Library/Printers/IOMs/LPRIOM.plugin/Contents/MacOS/LPRIOMHelper
/System/Library/Printers/Libraries/aehelper
/System/Library/Printers/Libraries/csregprinter
/System/Library/PrivateFrameworks/Admin.framework/Versions/A/Resources/readconfig
/System/Library/PrivateFrameworks/Admin.framework/Versions/A/Resources/writeconfig
/System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/AirPortNetworkPrefs.bundle/Contents/Resources/AirPortCfgTool
/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/Resources/Locum
/System/Library/PrivateFrameworks/DiskManagement.framework/Versions/A/Resources/DiskManagementTool
/System/Library/PrivateFrameworks/Install.framework/Versions/A/Resources/runner
/System/Library/PrivateFrameworks/NetworkConfig.framework/Versions/A/Resources/NetCfgTool
/usr/bin/at
/usr/bin/atq
/usr/bin/atrm
/usr/bin/batch
/usr/bin/chfn
/usr/bin/chpass
/usr/bin/chsh
/usr/bin/crontab
/usr/bin/login
/usr/bin/lppasswd
/usr/bin/passwd
/usr/bin/quota
/usr/bin/rlogin
/usr/bin/rsh
/usr/bin/setregion
/usr/bin/smbutil
/usr/bin/su
/usr/bin/sudo
/usr/bin/top
/usr/lib/sa/sadc
/usr/libexec/authopen
/usr/libexec/chkpasswd
/usr/libexec/load_hdi
/usr/libexec/pt_chown
/usr/libexec/security_authtrampoline
/usr/libexec/security_privportserver
/usr/libexec/ssh-keysign
/usr/libexec/utmp_update
/usr/libexec/xgrid/IdleTool
/usr/sbin/netstat
/usr/sbin/pppd
/usr/sbin/scselect
/usr/sbin/traceroute
/usr/sbin/traceroute6
/usr/sbin/vpnd

[There was also ~/.netprefs which I complained about last year but evidently forgot to remove until now. Comcast's crappy "installation" program did that to me. (And for no good reason, other than that the guy they sent out had connected the wrong cables downstairs and wouldn't believe that it wasn't my fault for using a Mac until I ran his crapware.) Gone now, but embarrassing to have left it so long.]

The question of how many setuid binaries we Mac OS users have on our systems came to me as I read through Apple's About Security Update 2006-001 and noticed "The passwd program is vulnerable to temporary file attacks. This could lead to privilege elevation. This update addresses the issue by anticipating a hostile environment and by creating temporary files securely."

The updated passwd(1) anticipates a hostile environment? That is, a setuid-root binary only now anticipates a hostile environment? That's good of it.

Apple explicitly recommends running setuid helpers in Performing Privileged Operations With Authorization Services: Scenarios where they present a couple of other alternatives which I agree are worse.

I just worry about the lack of minimization of the amount of code that's run as root. wc(1) reckons there's 4921128 bytes of setuid code on Mac OS 10.4.5, and that (slightly exaggerated because of hard links in /usr/bin/ for the "at" and "ch" families) seems like far too much to me. Especially when you compare against the good example set by Linux.

I hope 10.5 makes some progress in this area.