osx - Security risks using SUDO in TERMINAL on MAC

07
2014-07

PaparazzoKid

I'm very new to using Terminal and anything like that and stupidly followed an article that uses Terminal with the SUDO command. The sudo command basically loaded a file which updated my /private/etc/hosts file. I opened the file and made sure it was just doing this and nothing else.

Nothing went wrong, but later on I read that this was a bit silly and that it has opened up my machine to all kinds of security attacks. First of all, I'd like this statement verified "open to security attacks". Have I really? If yes, what steps can be taken to resecure things. This is what I used in Terminal:

The Terminal Commands

sudo -s
[enter password]
sh updateOSXHostFile

The file:

echo "Do you wish to update your host file ?"
select yn in "Yes" "No"; do
    case $yn in
        Yes ) echo "0.0.0.0 yahoo.com" >> /etc/hosts;
              echo "0.0.0.0 www.yahoo.com" >> /etc/hosts;
              break;;
        No ) break;;
    esac
done

Which successfully updated the hosts file to block access to specific sites.

Answers

BrianAdkins

Running a command using sudo is no different than running a command as an administrator on windows.

What's really important is "what you did" while using those elevated permissions. If you simply added IP addresses to your hosts file that effectively blackhole certain sites (common for ad-blocking), then you are fine...

If the script you ran redefines google's address by pointing you to a malicious server instead (DNS poisoning), or something else nefarious, then you're in trouble.

Based on the script you've provided, you're fine... But yahoo is dead to you.

Related article about black-holing specific sites : http://someonewhocares.org/hosts/zero/ (that's how to go overboard with this method)

I prefer using opendns to the method above.

drk.com.ar

By executing a script with sudo you are giving it superuser privileges. So anything the script is programmed to do, is going to be done by root (superuser). How risky it is depends on who programmed the script. Or more precisely what the script does.

As a general rule you should not execute such a script unless you trust the source.

In your particular case: if the script modified the hosts file, it could place a line like:

199.55.22.33    www.yourbank.com

Using an IP address which doesn't belong to your bank. And that would be a pretty good start for phishing.

UPDATE: As you published the code we can see this script is trying to block access to yahoo.com. which seems harmless. But even if a script only messes with the hosts file, it could be dangerous.

Related Answers

Olli

Use ssh -t:

man ssh

-t   Force pseudo-tty allocation. This can be used to execute arbitrary 
     screen-based programs on a remote machine, which can be very useful, 
     e.g. when implementing menu services. Multiple -t options force tty 
     allocation, even if ssh has no local tty.

So your command will be

ssh remotemachine -t "sudo -u www mkdir -p /path/to/new/folder"

If you don't want to enter password, you can (if you are allowed to) modify sudoers using command visudo.

Add parameter NOPASSWD:, for example

username ALL=(ALL) NOPASSWD: /bin/mkdir

If you can't edit /etc/sudoers, you can use sudo -S:

man sudo

-S      The -S (stdin) option causes sudo to read the password from
        the standard input instead of the terminal device.  The
        password must be followed by a newline character.

With that, command would be

echo "your_password" | ssh remotemachine -t \
     "sudo -S -u www mkdir -p /path/to/new/folder"

Remember that this will add your password to command history of your shell (with bash, that would be ~/.bash_history file).

Home

osx - Security risks using SUDO in TERMINAL on MAC