usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-02-03 14:03:24 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity

os_sudoers_tty_configure.yaml check and fix don't work #248

New Issue
Closed
opened 2026-01-19 18:29:48 +00:00 by michael · 1 comment
michael commented 2026-01-19 18:29:48 +00:00
Owner
Copy Link

Originally created by @grismemj on GitHub.

Summary

The check and fix for tty_tickets in sudoers do not work (os_sudoers_tty_configure.yaml).

Steps to reproduce

The check passes whether there is a "Defaults tty_tickets" entry or not in /etc/sudoers or /etc/sudoers.d/*. The fix actually appears to remove the entry if it is there, otherwise does nothing.

Operating System version

macOS 12.3.1

What is the current bug behavior?

The check passes whether there is a "Defaults tty_tickets" entry or not in /etc/sudoers or /etc/sudoers.d/*. The fix actually appears to remove the entry if it is there, otherwise does nothing.

What is the expected correct behavior?

The check should be returning a 1 if the entry is there, not a 0. It returns a 0 always.

The fix just delete any line that contains tty_tickets. It should create that entry in the sudoers file or a file under /etc/sudoers.d.

Relevant logs and/or screenshots

Output of checks

Possible fixes

I found this to be an effective check that tolerates multiple spaces and tabs:

/usr/bin/find /etc/sudoers* -type f -exec /usr/bin/grep -E "^Defaults:blank:*tty_tickets" '{}' ; | /usr/bin/wc -l | /usr/bin/xargs

This returns 1 if the tty_tickets entry is there.

I replaced the fix with this:

/bin/echo "Defaults tty_tickets" >> /etc/sudoers.d/local; chmod 440 /etc/sudoers.d/local

which creates /etc/sudoers.d/local with the "Defaults tty_tickets" entry. This should stick after OS updates and upgrades, unlike changes to the /etc/sudoers file itself.

Originally created by @grismemj on GitHub. <!--- Please read this! Before opening a new issue, make sure to search for keywords in the issues filtered by the "regression" or "bug" label and verify the issue you're about to submit isn't a duplicate. ---> ### Summary The check and fix for tty_tickets in sudoers do not work (os_sudoers_tty_configure.yaml). ### Steps to reproduce The check passes whether there is a "Defaults tty_tickets" entry or not in /etc/sudoers or /etc/sudoers.d/*. The fix actually appears to remove the entry if it is there, otherwise does nothing. ### Operating System version macOS 12.3.1 ### What is the current *bug* behavior? The check passes whether there is a "Defaults tty_tickets" entry or not in /etc/sudoers or /etc/sudoers.d/*. The fix actually appears to remove the entry if it is there, otherwise does nothing. ### What is the expected *correct* behavior? The check should be returning a 1 if the entry is there, not a 0. It returns a 0 always. The fix just delete any line that contains tty_tickets. It should create that entry in the sudoers file or a file under /etc/sudoers.d. ### Relevant logs and/or screenshots ### Output of checks ### Possible fixes I found this to be an effective check that tolerates multiple spaces and tabs: /usr/bin/find /etc/sudoers* -type f -exec /usr/bin/grep -E "^Defaults[[:blank:]]*tty_tickets" '{}' \; | /usr/bin/wc -l | /usr/bin/xargs This returns 1 if the tty_tickets entry is there. I replaced the fix with this: /bin/echo "Defaults tty_tickets" >> /etc/sudoers.d/local; chmod 440 /etc/sudoers.d/local which creates /etc/sudoers.d/local with the "Defaults tty_tickets" entry. This should stick after OS updates and upgrades, unlike changes to the /etc/sudoers file itself.
michael commented 2026-01-19 18:29:48 +00:00
Author
Owner
Copy Link

@brodjieski commented on GitHub:

Hi!
Thanks for the feedback. For this specific check/fix, we are looking to make sure that configuration for sudo does NOT have !tty_tickets configured anywhere. Having !tty_tickets in the configuration will cause sudo to behave incorrectly, do that is all we are looking for in the check/fix.

If sudo is configured with Defaults tty_tickets, it is valid and will pass the check. The fix will not remove this line, since it's a valid setting. It will remove Defaults !tty_tickets if that line exists.

We are also looking to update the check for sudo configuration with a new method that will properly determine the running config rather than the configuration files. Look for this in an upcoming release.

@brodjieski commented on GitHub: Hi! Thanks for the feedback. For this specific check/fix, we are looking to make sure that configuration for sudo does NOT have `!tty_tickets` configured anywhere. Having `!tty_tickets` in the configuration will cause sudo to behave incorrectly, do that is all we are looking for in the check/fix. If sudo is configured with `Defaults tty_tickets`, it is valid and will pass the check. The fix will not remove this line, since it's a valid setting. It will remove `Defaults !tty_tickets` if that line exists. We are also looking to update the check for sudo configuration with a new method that will properly determine the running config rather than the configuration files. Look for this in an upcoming release.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
michael
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: usnistgov/macos_security#248
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?