On Wed, Jan 18, 2023 at
11:39 AM Larry McVoy <
lm@mcvoy.com>
wrote:
Someone once told me that if they had physical access to
a Unix box, they
would get root. That has been true forever and it's even
more true today,
pull the root disk, mount it on Linux, drop your ssh
keys in there or add
a no password root or setuid a shell, whatever, if you
can put your hands
on it, you can get in.
A reasonable point, but I think
it really depends on the UNIX implementation I suspect.
Current mac OS is pretty well hardened from this, with
their current enclaves and needing to boot home to
Apple to get keys if things are not 100% right. Not
saying you or I can not, but basically means the same
cracking tricks you need to use for iPhones. It's not
as easy as you describe.
The ubiquitous Internet/WiFi
changed the rules - as you can start to keep some set
of keys somewhere else and then encrypt the local
volumes. In fact, one of the things they do if mac OS
boot detects that root has been modified (it has a
crypto index stored away when it was made read-only),
the boot rolls back to the last root snapshot -- since
they are all read-only that works. In fact, it is a
PITA to update/fix things like traditional scripts
(for instance the scripts in the /etc/periodic area).
Basically, they make it really unnatural to change the
root files system, make a new snapshot and index (I
have yet to see it documented although, with much
pain, I previously created a procedure that is close
-- i.e. it once worked on my pre-Ventura Mac - but
currently -- fails, so I need to some more
investigation when I can bring this back to the top of
the importance/curiosity stack (I have a less than
satisfying end around for now so I'm ignoring doing it
properly).
Clem