…and you’re root
A recent vulnerability in OS X, Linux, BSD, and many other systems allows some users to become root without a password. Luckily there are some ways you can protect yourself.
sudo -k, change the time to
sudo su, and you’re root. It’s so simple it can fit in a tweet.
- The user running
sudomust have sudoer privileges
- You must be able to change the time without root-level privileges
Changing the date used to be a root-level only privilege, however both OS X (unlocked System Preferences) and Linux/BSD (common in desktop environments, e.g. polkit).
With OS X and most Linux/BSD distributions, the initial user created automatically gets sudoer privileges since they are the user installing the system. The way that someone could get root access to your machine is if you leave your computer unlocked and walk away or allow password-less logins to your machine.
Keep your system up-to-date. If your computer has auto-updating for security packages, enable it. Keep your computer locked when you walk away. If you are on OS X, lock your System Preferences by clicking the lock-icon in the bottom left of any of the Preferences windows.
The vulnerability is detailed at these security alert websites: