Tag Archives: macos

Using ncdu to examine disk usage

du has been my go-to tool for checking disk usage and it’s wonderfully simple. But I’ve been using ncdu for a few weeks now.

ncdu is short for NCurses Disk Usage. In addition to being able to visualize disk usage by directory, it lets you sort on different parameters, delete files, show hidden files, and a few more stuff that you’ll miss if you go back to plain du. Most importantly it acts as a file manager, so you can simply enter the directories to see a more fine-grained breakdown of file sizes. As an added bonus it has Vim keybindings along with normal arrow key movements.

ncdu - ncurses disk usage

Screenshot of ncdu + help popup


brew install ncdu # macOS
sudo apt-get install ncdu # Ubuntu/debian

How the macOS root user vulnerability happened

Mac security specialist Patrick Wardle digs into the root cause (pun intended) behind why a blank password gave you root permissions:

* For accounts that are disabled (i.e. don’t have ‘shadowhash’ data) macOS will attempt to perform an upgrade

* During this upgrade, od_verify_crypt_password returns a non-zero value, and an error code which is not checked

* The user (or attacked) specified password is then ‘upgraded’ and saved for the account

It appears that od_verify_crypt_password should fail (update: it does and Apple just didn’t check for this!).

It might be an oversimplification, but what I gather from the post is that proper handling of the function’s return value (error code) could have prevented this on hindsight.

Now I’m pondering about all those times we ignore the error codes returned by the OS for file I/O operations and whatnot.

Root user vulnerability in macOS High Sierra

It has been discovered that you can get root permissions on a macOS system running High Sierra without any password. To test, click on the padlock in any System Preferences dialog and enter root as the username and keep the password to blank. Now click Ok (or whatever the confirmation button is) twice and you have root privileges!

This is like the worst nightmare ever, but note that the attacker needs to have physical access to the machine. Until Apple sends the patch, the easiest way to secure the system is by changing the root password as described here: https://support.apple.com/en-us/HT204012

Unfortunately it looks like the vulnerability was publicly disclosed without letting Apple know and waiting for a patch.