sudo hole

ayf6

Registered
if any user goes to the terminal and does sudo -s and when prompted for a password enters their OWN password they have gained root access. For some reason Apple decided it would be nice to include ALL:ALL in the sudoers file by default. This is a HUGE security hole so you all might want to look into locking down your sudoers file. If a user issue's passwd after doing sudo -s they will change ROOT's password. You all better check this out.

 
This only happens if the user sudo'ing is allowed to administer the machine in the users preference panel.

I just created a new user who did not have that box checked, and tried a 'sudo -s'. I got a messge saying that i wasn't allowed, and that the incident would be reported (nice touch i thought).

However, having that box checked does allow users to sudo, which is not very nice. Having group admins is one thing, allowing them all access to Godly root is another.
 
You know what you doing!
Move Zig!


oops, erm...

What I did was create a new group (bossgrp) using Netinfo, add
myself (only) to it, and edit /etc/sudoers, replacing
this line:

%admin ALL=(ALL) ALL

with

%bossgrp ALL=(ALL) ALL

 
Back
Top