How to protect OS X from the “rootpipe” vulnerability

BurnIconXA relatively long-standing vulnerability in OS X has been uncovered by a Swedish hacker, Emil Kvarnhammar, who has dubbed it “rootpipe” by the so-far undisclosed method in which it can be used to take control of your Mac. In this vulnerability, a flaw allows a hacker to gain administrative access of a system without supplying a password, and then be able to interact with your Mac as an administrator.

In an interview with MacWorld, Kvarnhammar describes this bug as having been present in OS X 10.8.5, but he was not able to replicate it in 10.9; however, Apple has shuffled around its code in OS X 10.10 so the bug again allows access.

In contacting Apple about the issue, Kvarnhammar did not get a response; however, Apple has agreed upon a date in January for full disclosure of the vulnerability’s details, suggesting Apple has indirectly acknowledged the issue and is developing a fix to be out by then.

In the mean time, this and other privilege-escalation vulnerabilities can be managed by taking two important security steps with your Mac:

Use a standard user account

When you set up your Mac, the first user account created will be an administrative one so you can fully configure your system; however, Apple leaves you with this as your main account, instead of requiring you create a separate user account with more limited privileges for daily use. By working in an admin account, you chance encountering vulnerabilities that could give access to your system under this account’s privilege level, and by limiting yourself to a standard account you can help stem such vulnerabilities.

The process for switching to a standard account for daily use is easy and painless:

  1. Open the Users & Groups system preferences and authenticate by clicking the lock.
  2. Create a new user account, and check the box to allow the user to administer the computer.
  3. Log out of your current account, and log into the new administrator account.
  4. Go back to the Users & Groups system preferences and again unlock them.
  5. Select your main user account and uncheck the option to allow the user to administer the computer.
Setting admin privileges in OS X

From within your new administrative account, uncheck this box for your other user accounts to prevent them from running as admin.

When finished, you can log out and back into your main account, and be able to use it as if there is no difference. Now whenever you need to administer your system by installing programs or changing settings that require admin access, you will supply the username and password of your new admin account, instead of that for your current account. This is a trivial difference in function, but does allow your Mac to run with added security.

Use FileVault

In addition to running as a standard user, consider enabling FileVault on your Mac. This is another recommendation by Kvarnhammar for preventing the “rootpipe” vulnerability from being used. In general, it is also a good idea, especially for portable systems, to have the entire contents of the drive encrypted. This will prevent a system from being rebooted in alternative modes to bypass the operating system’s security features and access data on the drive. Without the encryption password, the data on your Mac’s drive will be completely inaccessible.

FileVault in OS X

Click this button in the Security & Privacy system preferences to enable FileVault.

FileVault can be enabled by authenticating in the Security & Privacy system preferences, and then clicking the “Turn On FileVault” feature in the FileVault tab. Follow the on-screen instructions for managing your encryption key and enabling specific user accounts for unlocking the drive, and after your drive encrypts (it may take a few hours) your Mac’s drive will be fully encrypted.

31 thoughts on “How to protect OS X from the “rootpipe” vulnerability

  1. Jim

    This is the second time I’ve read his ‘instructions’ and I still don’t understand why the need to sign back into the now ‘Standard’ account. Why not simply create the new account as a ‘Standard’ one and log into it next time you Start up or Restart? I must be missing something… again! 😛

    Reply
    1. Topher Kessler Post author

      If you create a new standard user account for yourself, then all of your settings, keychains, documents, email, and other data will be left in your old account, and you will not be able to easily access it. By creating a new admin account and then demoting your old one, you preserve all of your settings and documents as they were. The only difference is that you now have a new admin account to use when authenticating for system changes.

      Reply
  2. forkboy1965

    The directions you provide for creating a user account (vs. administrator account)…. is this method utilized to basically turn the current administrator account into a user? I mean, this way one doesn’t have to create a user account and then set it up so it mimics the administrator account (which could require plenty of time and effort to recreate).

    Reply
    1. Topher Kessler Post author

      That’s right. Your mac will require you have at least one admin account, so if you only have your one user account then you cannot demote it. However, in these cases you can create an admin account and then demote yours to a standard one. An easy way to make this difference easy to remember is to name the new account “admin” or something similar, so when making changes you enter this along with the password, as is commonly done when trying to access admin modes in many systems (routers, printers, and other computing operating systems, etc.).

      Reply
      1. forkboy1965

        Thanks, Topher. I had hoped my question wasn’t too inarticulate. And I’m glad I understood the intent of the directions. At first reading I thought it all very strange…”Why not just create an user account?”

        Live and learn…

        Reply
    1. Stuff

      Local, if it was remote it’d be a higher priority. This hack is pointless anyway, if you have local access you can reset the admin password with any OS X install disk. Waste of time using a guest account in this case too.
      Only problem with File Vault is if you are having a disk problem (hardware/software) and you can’t mount the volume to decrypt it your data is gone.

      Reply
  3. Al Varnell

    But it is a trivial matter to use your old non-admin account and still authenticate admin level changes from there by simply entering the name of your new admin account and it’s password. The only thing I know that it prevents is the use of Terminal with “sudo” since the old user won’t be listed as a sudden.

    One other thing. It isn’t clear that Kvarnhammar considers the use of FileVault2 as a protection against rootpipe. He seems to be just advising it as a generally good security idea. FileVault prevents a person with physical access to a computer from doing anything to it, but does nothing with respect to any other malware infection vector.

    Reply
    1. Strod

      “The only thing I know that it prevents is the use of Terminal with “sudo” since the old user won’t be listed as a sudden.”
      True, but you can still type something like su thenewuser to become the sudoer (admin user) and then you can use sudo.

      Reply
  4. B. Jefferson Le Blanc

    I appreciate Kvarnhammar’s discretion. That said, is there any evidence anyone is exploiting this flaw?

    Reply
  5. oldfatguy

    Is it possible to file vault only a portion of your hard drive? I have a lot of large photos – not sure why they need to be encrypted, and I imagine it would be time consuming to encrypt/decrypt 35 MB every time I access – not to mention the Lightroom accessing thousands as a time.

    Reply
    1. Topher Kessler Post author

      You cannot use FileVault to only target a portion of your drive, but your concern is unnecessary. FileVault does not actively encrypt and decrypt your files as you access them. Instead, it is a full-drive encryption, where once you unlock your drive at startup, the drive’s data will be fully readable. There are ways of having storage that is not encrypted, such as partitioning your boot drive to have a separate storage partition, but this may be more trouble than it’s worth. I would recommend you simply use FileVault at its full capacity to encrypt all items on your drive. You should not see any difference in performance as a result of this.

      Reply
    2. Simon

      I’ve infrequently had odd issues with FileVault volumes, and there is no requirement that you must FileVault all partitions on a drive.

      So for myself, creating a FileVault partition for data has made sense, and keeps my boot drive free of any complications.

      Reply
  6. Graig

    Having read and probably misunderstood Al Varnell’s comment above scared me away from this change. Does this account setup affect Terminal in any way? Don’t want any problems with this. I think he is referring to an existing old non-admin account. Can you confirm this Topher?

    Reply
    1. Strod

      I’m not sure why Al Varnell’s comment scared you, but perhaps my reply to him helps assuage your fears? (The gist of my reply is that you can still use sudo, you just need to jump one extra hoop to get there.)

      Reply
    2. Topher Kessler Post author

      Standard user accounts (non-admins) cannot use the “sudo” command to run Terminal commands in administrative mode. This is inherent to the security restrictions imposed on the standard accounts. To do this, you can switch users in the Terminal to an admin account, by way of the “su” command. For instance, if my admin account is “tkessler” and I am logged into one called “macissues” that is a standard account, then in the Terminal I must run “su tkessler” and then supply my password for the “tkessler” account, which will drop me to a new shell in this account, and from which I can then run commands with “sudo” to administer my system.

      Reply
  7. Graig

    I’m sorry but I must be missing something. Topher never mentioned anything about Terminal issues in his instructions.

    Reply
    1. Topher Kessler Post author

      There are no terminal “issues” with the instructions. The only difference is the need to authenticate in the Terminal as an administrator before you can run administrative commands. This is the same requirement as running any administrative task in the OS X GUI, where you will need to specify the username and password of your administrative account. To do this same thing in the Terminal, you first run the “su adminusername” command to switch users to one with administrative privileges, and then can run commands in administrative mode (ie, using “sudo” before commands).

      Reply
  8. Graig

    But if I use the sudo command in the newly created admin account it would work right? But not in the original account that I started with. So it will not be a problem if done this way?

    Reply
    1. Topher Kessler Post author

      That’s right! The new admin account can run “sudo” commands just like your old one when it was admin. You can do this normally when logged into the new admin account. You can log into this account in two ways. The first is to do so from the login window as you would normally log into any account. In here, the Terminal will open under this account username and be able to run “sudo” commands directly.

      If you log into your old account that is no longer admin, when you open the Terminal you will not be able to run “sudo” commands immediately because the account loaded in the Terminal is not an administrative account. This requires the second method for logging in, where you use the “su” command in the Terminal to “Switch Users” to the username of a specified admin account. In doing this, you will supply your password for the admin account, and will be dropped to a new shell under that account username. In here you can see that you are running as the admin account by entering the “whoami” command, where you will see the admin username printed as the active account. With this as the active account, you can now run “sudo” commands as you normally would.

      Reply
  9. Graig

    Thanks Topher, I understand now, I thought this to be the case. Just got confused along the way. It happens often these days lol

    Reply
  10. Al Varnell

    I haven’t found any indication of that and as long as Kvarnhammar keeps his promise, I doubt that hackers are willing to spend the time to try and figure it out. They much prefer to be handed the vulnerability on a silver platter.

    Of course, once the details are know, there may be some attempts to use it, hoping users will be slow to apply the fix update. If it actually does require physical access to the computer, as the evidence seems to show, then it probably won’t be worth the trouble even then.

    Reply
  11. Graig

    I have added the new admin account and of course it appears as a brand new OS X account when I’m logged in to it. Now to be clear, when logged in my old account and I want to update an app or make a change I will simply be asked to provide my new account name ad password and I will be in business. Right? I seem to be having a problem grasping this as have never had a separate admin account along side a user account.

    Reply
    1. Topher Kessler Post author

      That is correct. Your new admin account will not have any documents or data in it, and its settings will be the default ones just as if you had installed OS X freshly (though applications you have installed will be available to run in this account). Now you do not have to use this account for daily activity at all, and once your old one is demoted to “Standard” you can log back into it and continue working as if nothing is different. When you need to install applications or change certain system settings, you will simply need to enter both the username and password of your admin account to make the desired changes. This can be done from within your “Standard” account, so there should be no need to log out and log into your Admin account to make changes.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *