news: FastTasks Update

With recent adware attacks exploiting a vulnerability in OS X and giving themselves sudo permissions without the user providing a password, we thought it’d be a good idea to have FT2 show you info on the Sudo permissions file. This feature has been added in today’ update, FT2 v1.68.

The file in question, sudoers, lives in the (usually) hidden /private/etc folder at the root of your hard drive. Most ordinary users won’t have cause to go digging around in there and probably don’t even know it exists. However, sudoers is the file that determines who can get admin access in the shell (aka ‘the Terminal’), and adding a user to the sudoers file gives them pretty much a carte blanche over the system.

It appears that Apple have already taken steps to block the recent attack, and the next version of OS X (likely due out next month) will restrict what even sudoers can do to the system (although not to the user). Nevertheless, we think it’s good idea to have an easy visual check as to whether the sudoers file has been modified or not. You can find the sudoers information in the Analyser just before the System section (marked by the green dashed line).

Be aware that it is entirely possible that if an attacker gains access to your system, they could not only modify the sudoers file, but completely replace it with a new one. That’d give a new creation date but no modification date. With that in mind, it’s worth checking just when the file was created. Running the public release of OS X Yosemite, build 14E46 (you can find the build number in FastTasks menu), my default sudoers file has a creation date of 2014-09-10. If you are running a different build of Yosemite or OS X you may see a different date. Obviously, if you have modified (or given an app or process permission to modify) the file, that will cause you to see different dates also.


About philastokes

Independent Software Developer, Technical Writer and Researcher at SentinelOne. Explaining the unexplainable with images, video and text. Scripting anything imaginable in AppleScript, Bash, Python and Swift.

Posted on August 8, 2015, in FastTasks and tagged , , . Bookmark the permalink. 3 Comments.

  1. FT2 found a sudo in a USB 1TB drive that has Yosemite.

    What do i do about that sudo ?

    • Nothing! Every installation of OS X must have a sudoers file. However, that file should not have been modified unless you did it yourself (assuming you are the owner and administrator of the machine).

      I can’t emphasize strongly enough that you should NOT start messing around with the sudoers file if you do not know what you’re doing. You’ll break your system.

      Read the man sudoers page for more information.

  2. FastTasks is a great application for tracking what goes on during an installation/change to the system files. It reminds me of an OS 9 programme that did very much the same except there was more information provided in that programme.

%d bloggers like this: