XMission's Company Journal

…and you’re root

A recent vulnerability in OS X, Linux, BSD, and many other systems allows some users to become root without a password. Luckily there are some ways you can protect yourself.

The process:

Run sudo -k, change the time to 01-01-1970, run sudo su, and you’re root. It’s so simple it can fit in a tweet.

Two caveats:

  1. The user running sudo must have sudoer privileges
  2. You must be able to change the time without root-level privileges

The problem:

Changing the date used to be a root-level only privilege, however both OS X (unlocked System Preferences) and Linux/BSD (common in desktop environments, e.g. polkit).

With OS X and most Linux/BSD distributions, the initial user created automatically gets sudoer privileges since they are the user installing the system. The way that someone could get root access to your machine is if you leave your computer unlocked and walk away or allow password-less logins to your machine.

The fix:

Keep your system up-to-date. If your computer has auto-updating for security packages, enable it. Keep your computer locked when you walk away. If you are on OS X, lock your System Preferences by clicking the lock-icon in the bottom left of any of the Preferences windows.

The vulnerability is detailed at these security alert websites:



Comments are currently closed.

One thought on “…and you’re root