sudo hole

ayf6

Registered
if any user goes to the terminal and does sudo -s and when prompted for a password enters their OWN password they have gained root access. For some reason Apple decided it would be nice to include ALL:ALL in the sudoers file by default. This is a HUGE security hole so you all might want to look into locking down your sudoers file. If a user issue's passwd after doing sudo -s they will change ROOT's password. You all better check this out.

 
Maybe your setup is different from mine, but only admins have such rights on my machine. It seems reasonable for admins to have root, but definitely somthing to be aware of.

Anyway, my sudoers does have a bunch of alls in it, but all users who are root and all users in group admin are the only ones allowed to sudo.

Too bad this post isn't in the unix section, I'm sure some other CLI geeks would be in on this discussion.
 
Back
Top