On Wed, Jan 18, 2023 at 11:39 AM Larry McVoy <lm(a)mcvoy.com> wrote:
Someone once told me that if they had physical access
to a Unix box, they
would get root. That has been true forever and it's even more true today,
pull the root disk, mount it on Linux, drop your ssh keys in there or add
a no password root or setuid a shell, whatever, if you can put your hands
on it, you can get in.
A reasonable point, but I think it really depends on the UNIX implementation
I suspect. Current mac OS is pretty well hardened from this, with their
current enclaves and needing to boot home to Apple to get keys if things
are not 100% right. Not saying you or I can not, but basically means the
same cracking tricks you need to use for iPhones. It's not as easy as you
describe.
The ubiquitous Internet/WiFi changed the rules - as you can start to keep
some set of keys somewhere else and then encrypt the local volumes. In
fact, one of the things they do if mac OS boot detects that root has been
modified (it has a crypto index stored away when it was made read-only),
the boot rolls back to the last root snapshot -- since they are all
read-only that works. In fact, it is a PITA to update/fix things like
traditional scripts (for instance the scripts in the /etc/periodic area).
Basically, they make it really unnatural to change the root files system,
make a new snapshot and index (I have yet to see it documented although,
with much pain, I previously created a procedure that is close -- i.e. it
once worked on my pre-Ventura Mac - but currently -- fails, so I need to
some more investigation when I can bring this back to the top of the
importance/curiosity stack (I have a less than satisfying end around for
now so I'm ignoring doing it properly).
Clem
ᐧ