Security – The Mac Admin

macOS Updates 23 January 2018

macfamily-promo-osx-family-icon_2x Apple have released updates to macOS High Sierra, macOS Sierra and OS X El Capitan today.

The updates for Sierra and El Capitan include mitigations for the Meltdown and Spectre vulnerabilities.

You can use the information below to search or report on the disposition of your inventory/fleet and read more from Apple.

macOS High Sierra 10.13.3
Build numbers: 17D47 or 17D2047 (depending on hardware, both are current)
Security Update 2018-001 Sierra
Build number: 16G1212
Security Update 2018-001 El Capitan
Build number: 15G19009

For more information: About the security content of macOS High Sierra 10.13.3, Security Update 2018-001 Sierra, and Security Update 2018-001 El Capitan

In previous articles, we have discussed making changes to the /etc/authorization file, also known as the authorization policy database or authorization database, using text editors. Apple has a tool in Mac OS X that is specifically designed for that purpose. /usr/bin/security, in addition to a multitude of other uses, security has a command called authorizationdb that allows for edits to the authorization database.

The authorizationdb command has three options, read, write and delete. These function in much the same way as the defaults command is used to edit preference files. Let’s use the previous article on setting DVD region codes as an example. In that article, we discussed how to enable any user to set the initial DVD region code, but still require an administrative user to change the code once set.

To read the current authorization rule, we’ll use this command…

/usr/bin/security authorizationdb read system.device.dvd.setregion.initial

…which gives us the following output…

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
     <key>class</key>
     <string>user</string>
     <key>comment</key>
     <string>Used by the DVD player to set the region code the first time. Note that changing the region code after it has been set requires a different right (system.device.dvd.setregion.change).</string>
     <key>default-button</key>
     <dict>
          <key>en</key>
          <string>Set</string>
     </dict>
     <key>default-prompt</key>
     <dict>
          <key>en</key>
          <string>__APPNAME__ is trying to set the DVD region code for the first time.</string>
     </dict>
     <key>group</key>
     <string>admin</string>
     <key>shared</key>
     <true/>
</dict>
</plist>

Notes: Non-English strings in the default-button and default-prompt dictionaries have been removed for brevity.

The boldface “class” key and its value (emphasis mine) are the operative values that we are working with. Using the write option for the authorizationdb command, we can make the same change described in the previous article, allowing any user to set the initial DVD region code, with a one-line script.

/usr/bin/security authorizationdb write system.device.dvd.setregion.initial allow

After running this command, if we read the contents of the system.device.dvd.setregion.initial key again using /usr/bin/security authorizationdb read system.device.dvd.setregion.initial, we now receive the following output…

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
     <key>rule</key>
     <string>allow</string>
</dict>
</plist>

Not only does /usr/bin/security simplify editing the authorization database, it also results in a cleaner entry.

I hope this is useful.

NSA Security Recommendations Part 1

The United States National Security Agency has published a pamphlet titled Hardening Tips for the Default Installation of Mac OS X 10.5 “Leopard” (title links to document). I consider many of these tips to be no-brainers, some to be best practices, and the rest have variable value depending on your organization’s requirements. This article is the first of a series in which I’ll examine each of these tips, how to automate their implementation, and discuss any caveats for each.

Note: The NSA document, and therefore this series of articles, refer specifically to Mac OS X version 10.5 (Leopard). The ideas and techniques should transfer to 10.6 (Snow Leopard), but be sure to test carefully before putting into production. I will discuss any changes required to implement each recommendation in 10.6.

Don’t Surf or Read Mail using Admin Account

This falls into the “no-brainer” category. I firmly believe that in an organization where the end user does not own his or her computer, there is no reason for that user to have administrative rights on the system. For every so-called valid reason to grant administrative permission that I have encountered, there is a workaround that can give the user the ability to do their job without granting admin rights. If you find yourself fighting against an organizational culture that wants admin rights for end users, you can counter with this statement:

“If end users have administrative rights, no IT group can make any guarantees or reliably satisfy any SLA regarding the performance, security or continued operability of the systems in question.”

Put simply, if unqualified people can mess with the works, then all bets are off.

Not being a technical procedure, this concept holds true for Snow Leopard, all other versions of Mac OS X and for any other OS as well.

If you believe you have a valid reason to grant administrative privileges to end users or your organization is forcing you to grant those privileges for a particular reason or reasons, please leave a comment. I’ll do my best to describe a solution to the given problem without granting administrative rights.

Printing For Non-Admins In Leopard

This is a topic I’ve seen covered in many places, however most of the articles I see on this topic only get part of the solution or solve it in a way that creates unnecessary security issues. In light of this, I’ve decided to talk about what I consider to be the best practices on the subject and the reasons why.

Why Did Apple Limit The Printing System?

Unless you know why Apple imposed security restrictions on the printing system, it seems pretty silly and detrimental to users. After I understood the reasons behind the change, it made a lot of sense.

When you add a printer in CUPS (Common UNIX Printing System, the printing software under the proverbial hood) and specify a PPD file for that printer, the PPD file can, and often does, run software as root. This function of the printing system could be used to run malicious code. To help mitigate this risk, administrator authentication is required if the logged in user is not an administrative user or if the “Require password to unlock each System Preferences pane” box has been checked in the Security System Preferences Pane. None of this is an issue in the “typical” home computer installation since there is only one user and that user is an administrator. For environments that require extra security, indicated by having standard (non-admin) user accounts and/or system preference restrictions, this vulnerability is closed.

Make A Spare Key; Don’t Remove the Door

Many of the blogs and forum posts I’ve read on this subject advocate the removal of CUPS security features. If this sounds like a good idea, ask yourself this; if you wanted to give someone access to your home, would you take your front door off its hinges or give this person a key? I think the answer is clear.

Understanding The Lock

Before we can make our “spare key”, we need to understand how the lock works. to do that, we’ll look at the default CUPS configuration file, found at /private/etc/cups/cupsd.conf and how it defines CUPS Operation policies. Every Mac OS X Leopard installation includes detailed documentation on this subject at http://localhost:631/help/policies.html (link opens in a new window) For our purposes, we’ll look at the specific section of the cupsd.conf file that covers adding, deleting and setting default printers, but this URL is your best reference for CUPS operation and configuration.

# All administration operations require an administrator to authenticate...
     <Limit CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class
CUPS-Delete-Class CUPS-Set-Default>
          AuthType Default
          Require user @SYSTEM
          Order deny,allow
     </Limit>

The line that reads Require user @SYSTEM is what dictates that administrative authentication is required.

Making the Spare Key

Many people are recommending deleting or commenting out this block of text. This is the equivalent of taking the door off of the hinges that I mentioned. Instead, we can modify this block to grant permission to groups that we define, rather than removing the security feature. If we add user or group names to the line that reads Require user @SYSTEM, those users and members of those groups will be granted the add, delete and set default permissions. See the example below…

# All administration operations require an administrator to authenticate...
     <Limit CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class
CUPS-Delete-Class CUPS-Set-Default>
          AuthType Default
          Require user @SYSTEM @admin @lpadmin @mycustomgroup
mycustomuser
          Order deny,allow
     </Limit>

This modification allows the members of the admin, lpadmin and mycustomgroup groups and the user mycustomuser to add, delete and set default printers. Group names require the preceding “@” character, usernames do not.

Going Further

There are other default policies in the default cupsd.conf file that govern pausing & resuming queues, holding & deleting print jobs, etc. These policies can be modified in the same way. The CUPS help file (link at the top of this article) contains details on 38 different printing system operations that can be governed by the cupsd.conf file and detailed instructions on creating your own policies within the file. Using that information, you should be able to configure virtually any required or desired security settings.

Category: Security