Hacker News new | ask | show | jobs
by nwh 4862 days ago
Users on MacOS can change the time without root access.
5 comments
simias 4862 days ago
Are you sure? If it is it sounds like a possible security issue. Time is pretty sensitive as soon as certificates are involved. Many auth systems assume the clock is properly synchronized across the system.

If that's true IMO that's the security issue, not the arguably strange behaviour of sudo in a situation that should never occur.

link
dazzawazza 4862 days ago
well from the terminal

   $ date 010101011970
   date: bind: Permission denied
   date: settimeofday (timeval): Operation not permitted
   [15:45:41][dazza@imac.internal:~]
From System Preferences you can indeed set the date back to 1970:

   $ date
   Fri  2 Jan 1970 00:56:44 BST
   [00:56:44][dazza@imac.internal:~]
but there is a little lock that you might need to unlock (with a user password).

This does seem like a security issue on OSX.

link
adestefan 4862 days ago
That little lock icon is the same as running sudo from the command line. If the user is listed as an Administrator, then they're also able to sudo.
link
pschastain 4862 days ago
Changing back 01/01/1970 via Date & Time preferences doesn't need authentication, but the exploit still didn't work, at least for me.
link
acdha 4862 days ago
> Changing back 01/01/1970 via Date & Time preferences doesn't need authentication

This is not true but it can be confusing if you've authenticated at all recently due to a grace period like sudo's.

link
nwh 4862 days ago
I've never unlocked that panel, and I've rebooted recently, and still didn't need authentication. Are you sure that's as right?
link
adestefan 4862 days ago
The authentication for changing things via the System Preferences system is independent of sudo and "sticks" across reboots.
link
glitch 4861 days ago
Is your account an Administrator account? Normal users are just Standard accounts and not Administrators.
link
rplnt 4862 days ago
System time or what is displayed to the user? Because they are two different things on some systems.
link
kgo 4862 days ago
But most of the time, someone using MacOS has physical access to the box. They can always just boot up as single user and BOOM root:

http://support.apple.com/kb/ht1492

link
adestefan 4862 days ago
This is absolutely not true. You must be listed as an Administrator to change system time. If you're an Administrator, then your account is also included in the admin group which means you have full sudo access anyway.
link
glitch 4861 days ago
As far as I tested in the Date and Time preference pane,... Users enabled as an Administrator, yes. Standard users, no.

`date` still behaves as one expects.

link