http://www.pcmag.com/article2/0,1759,1784705,00.asp

Security Watch: Could sudo Compromise Mac OS?

Top Threat: sudo Root Compromise
Executive Summary
Name: sudo Root Compromise
Affects: Mac OS X 10.3.x confirmed, probable on all platforms running sudo

Details

A Trojan horse program run by a user with admin privileges can utilize the sudo utility program to execute as the root user.

The original report on this vulnerability described it as a problem with Mac OS X, but a subsequent report indicates that it applies to any platform on which sudo is run.

The problem is tied to default settings for sudo: Under which a five minute grace period exists after running it during which sudo may be run without again providing a password. The execution context for sudo is system-global for the user, and not tied to a particular terminal session. Finally, the log file used by sudo (/var/log/system.log) is readable by anyone in the admin group.

Given these settings, the Trojan program waits for changes to be written to the /var/log/system.log and looks for entries that would elevate the user context of the Trojan. It then has five minutes to execute sudo with any command to elevate its own privileges.

How to avoid it:

According to the initial report, any of these steps will correct the problem:

* Add the following lines to the /etc/sudoers file, in the "Defaults" section:
Defaults:ALL !syslog
Defaults:ALL logfile=/var/log/secure.log This redirects the sudo logs to /var/log/secure.log (which has the appropriate permissions and is a more appropriate log for authentication components)
* Add the following line to the /etc/sudoers file, in the "Defaults" section:
Defaults:ALL timestamp_timeout=0 This removes the password grace period and forces the user to authenticate every time sudo is run.
* Add the following line to the /etc/sudoers file, in the "Defaults" section:
Defaults:ALL tty_tickets This limits the sudo grace period to individual ttys (terminal sessions) and makes it much more difficult for a Trojan to compromise the system using this technique.

The author of the advisory recommends that you use the Visudo tool to edit the /etc/sudoers file. This utility will check your syntax, keeping you from corrupting your file.

Originally posted by Davy
A Trojan horse program run by a user with admin privileges can utilize the sudo utility program to execute as the root user.

Darwinism. If a user insists on running some odd program they got in their email or off the Web with root priviledges they deserve, and need, to be weeded out of *nix and frankly PCs altogether. That said it is indeed a flaw.

On my debian unstable box, sudo logs to /var/log/auth.log by default. Regular users can't read this file.Originally posted by ions
If a user insists on running some odd program they got in their email or off the Web with root priviledges they deserve, and need, to be weeded out of *nix and frankly PCs altogether. But that's the thing. You don't need to run a strange program as root. You just need sudo's log file readable by the user that runs any program with sudo. The trojan itself only needs user privileges.

linux is at like 3% of the market now ... as it gains popularity you will see alot more stuff like this and soon it will be as bad as windows!

lol

I can't wait!

Originally posted by pinter
linux is at like 3% of the market now ... as it gains popularity you will see alot more stuff like this and soon it will be as bad as windows!

I thought about that a few times.. and it scares me! :)

Originally posted by pinter
linux is at like 3% of the market now ... as it gains popularity you will see alot more stuff like this and soon it will be as bad as windows!

lol

I can't wait!

hmmm, I think that Linux is at far more than 3% unless of course you are only referring to desktops, at which I think it is a little more. As for the 'net servers, it is more like 60% and climbing, also, I honestly don't think that Linux will ever get as bad as windows, because security IS a concern in the community, unlike that of MS, which is money.

Besides, there is more than likely already a patch released, if you subscribe to SANS, you get all this info in your mailbox.

Linux won't be as bad because by design it can't be. If it truly were more than FUD that Linux would be as bad as Linux if it had the same market share it would be known by now. Dontcha think MS has invested thousands of hours and ten times as many dollars trying to prove that Linux has holes? Dontcha think they woulda published ANYTHING that even leaned in their favour? Beat the point to death they would have. They've got nothing cause there's very little to have.

Originally posted by ions
Beat the point to death they would have.
Channeling Yoda?:)

Originally posted by leonpmu
hmmm, I think that Linux is at far more than 3% unless of course you are only referring to desktops, at which I think it is a little more. As for the 'net servers, it is more like 60% and climbing, also, I honestly don't think that Linux will ever get as bad as windows, because security IS a concern in the community, unlike that of MS, which is money.

Besides, there is more than likely already a patch released, if you subscribe to SANS, you get all this info in your mailbox.

Yeah, I was talking about desktop not servers.

Linux has 60% of the market for servers? If so very very weird that I never heard a number even close to that on the several news sites I go too but if it is, wow. I think it's maybe 10% but I dunno.

60% wow

Try netcraft and see for yourself, if you only work on the number of news websites that you look at you really are limiting yourself.....