Hacker News new | past | comments | ask | show | jobs | submit login

From the FreeBSD man for date

  Only the superuser may set the date, and if the system securelevel (see
  securelevel(7)) is greater than 1, the time may not be changed by more
  than 1 second.
EDIT: so you need to be root anyway or have root access to change the date.



Users on MacOS can change the time without root access.


Are you sure? If it is it sounds like a possible security issue. Time is pretty sensitive as soon as certificates are involved. Many auth systems assume the clock is properly synchronized across the system.

If that's true IMO that's the security issue, not the arguably strange behaviour of sudo in a situation that should never occur.


well from the terminal

   $ date 010101011970
   date: bind: Permission denied
   date: settimeofday (timeval): Operation not permitted
   [15:45:41][dazza@imac.internal:~]
From System Preferences you can indeed set the date back to 1970:

   $ date
   Fri  2 Jan 1970 00:56:44 BST
   [00:56:44][dazza@imac.internal:~]
but there is a little lock that you might need to unlock (with a user password).

This does seem like a security issue on OSX.


That little lock icon is the same as running sudo from the command line. If the user is listed as an Administrator, then they're also able to sudo.


Changing back 01/01/1970 via Date & Time preferences doesn't need authentication, but the exploit still didn't work, at least for me.


> Changing back 01/01/1970 via Date & Time preferences doesn't need authentication

This is not true but it can be confusing if you've authenticated at all recently due to a grace period like sudo's.


I've never unlocked that panel, and I've rebooted recently, and still didn't need authentication. Are you sure that's as right?


The authentication for changing things via the System Preferences system is independent of sudo and "sticks" across reboots.


Is your account an Administrator account? Normal users are just Standard accounts and not Administrators.


System time or what is displayed to the user? Because they are two different things on some systems.


This is absolutely not true. You must be listed as an Administrator to change system time. If you're an Administrator, then your account is also included in the admin group which means you have full sudo access anyway.


But most of the time, someone using MacOS has physical access to the box. They can always just boot up as single user and BOOM root:

http://support.apple.com/kb/ht1492


As far as I tested in the Date and Time preference pane,... Users enabled as an Administrator, yes. Standard users, no.

`date` still behaves as one expects.


Would this work with an LD_PRELOAD of libfaketime?


    env_reset    
        
    If set, sudo will run the command in a minimal
    environment containing the TERM, PATH, HOME, MAIL,
    SHELL, LOGNAME, USER, USERNAME and SUDO_* variables.
    Any variables in the caller's environment that match
    the env_keep and env_check lists are then added,
    followed by any variables present in the file specified
    by the env_file option (if any).  The default contents
    of the env_keep and env_check lists are displayed when
    sudo is run by root with the -V option.  If the
    secure_path option is set, its value will be used for
    the PATH environment variable.  This flag is on by
    default.
Also this would open up an entire vector of arbitrary command execution attacks if it was allowed.

Also, you can not use LD_PRELOAD on sudo itself, as it is disabled for setuid binaries.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: