sudo hole

[ayf6]

if any user goes to the terminal and does sudo -s and when prompted for a password enters their OWN password they have gained root access. For some reason Apple decided it would be nice to include ALL:ALL in the sudoers file by default. This is a HUGE security hole so you all might want to look into locking down your sudoers file. If a user issue's passwd after doing sudo -s they will change ROOT's password. You all better check this out.

 

[iconara]

are you shure you didn't log in as yourself with your admin-account and your admin-password that was created when you installed the system. in this case, the root password (and sudo password) would be the same as your users password.


theo

 

[strobe]

You're really starting to piss me off.

I wish people would find out if it actually IS a hole before posting in SEVERAL forums!

I crown you the KING OF FUD!

Wolf! Wolf!

 

[iconara]

I tried with a user that was not an administrator and it was a no go, I could not do the things described above. I think that the default user being an administrator confuses people.


theo

 

[paulsomm]

SUDO by default doesn't ask for a root password but for the user's password. Think about it. SUDO is so that a non-root person can do specified root things. If you wanted them to know the root password then you wouldn't use SUDO. the password is the user's password so that if someone comes to an unlocked terminal they can't just sudo anything.

The SUDOers file only lets administrators have ALL:ALL rights on OSX by default. A non-admin user is unable to SUDO.

Granted, usually SUDO is used in conjuction with a restricted set of allowed commands (like SUDO to a maintenance script) but I'm sure Apple felt SUDO with ALL:ALL was still safer than enabling the root password by default (and I tend to agree).