Ramblings of an aging IT geek
← Ramblings of an aging IT geek
news

the macos root login bug, and why local matters

Reacting to the wave of authentication-bypass disclosures doing the rounds this week, and an honest look at where local security sits in my own setup.

John Mylchreest
John Mylchreest
2017-11-16 · 4 min read

A city skyline at dusk

There is a particular kind of disclosure that makes the rounds this week feel uncomfortable: the authentication bypass. Not a memory corruption you need to chain three exploits to reach, but a logic flaw where the system simply lets you in when it should not. Those land hard because anyone can understand them. You do not need to know what a heap is to grasp "it accepted a blank password".

I am being deliberately vague on the exact details because the picture is still settling and I would rather not repeat a half-remembered version of someone's research. The shape of it, though, is worth talking about regardless of which specific bug you have in mind.

local feels safe, and that is the trap

The reflex defence is always the same: "but you need local access". And it is true, plenty of these need someone sat at the machine, or already through your front door of a network. The problem is that "local" is doing a lot of work in that sentence.

In a shared office, local is the temp who borrows a desk. In a homelab, local is the smart plug you flashed last month and forgot about. On a laptop, local is whoever picks it up while you fetch coffee. The boundary you imagined was a wall is often a curtain.

A dense, busy street scene

So when the standard reassurance arrives, I have learned to ask the next question: local to what, and who counts as local? More often than I would like, the honest answer is "more people than I assumed".

what I actually did about it

Nothing heroic. I patched the machines I could, made a note of the ones I could not patch immediately, and then did the boring thing I always mean to do and never quite finish: I went through who can physically or near-physically reach each box.

The two takeaways for my own setup were unglamorous. First, screen-lock timeouts that I had set generously back when I trusted my environment more than I should. Second, a couple of services bound to 0.0.0.0 that had no business being reachable from anything but localhost. Neither of those is the disclosure of the week. Both of them are the kind of thing the disclosure of the week reminds you to check.

That is the real value of a noisy week like this one. The specific bug will be patched and forgotten inside a month. The prompt to actually audit your trust boundaries, while you are paying attention, is the part worth keeping.

The uncomfortable bit is admitting that defence in depth is not a slogan, it is a chore, and most of us only do the chore when something frightens us into it. This week did the frightening. I might as well do the chore.