Okay, so I noticed the other day that an app (forget which) that usually prompts for my password to gain root privileges didn't do so — it just continued doing what it needed the privileges for.
I remembered that shortly before, I had used sudo in iTerm to run a command with root privileges, and I know that OS X doesn't ask for your password after the first time you run sudo unless a number of minutes have passed. I had assumed that this behavior would be local to the thread from which you initially provided the password, which would've been the zsh session in iTerm. However, it seemed that it was local to the zsh session, nor to zsh, nor to iTerm. A completely different app had apparently piggy-backed on my sudo "session" and gained root privileges without my approval.
I tested this by issuing a sudo command in zsh in iTerm, and then, after having provided my password, I opened up Terminal with bash and issued a sudo command there. No password prompt, instant root privileges.
Based on this, it's clear that any app which runs as a user who can run sudo to gain root privileges (which is any normal OS X user) can wait for the user to execute sudo, and immediately gain root access to the system. Knowing when the current user runs sudo is easy, as such an event is written to the syslog.
Proof of concept. Quick-n-dirty. Save as a script and run in a terminal window. Then, run sudo in a different terminal window. The script will catch the sudo event and write the empty file "kilroy-was-here", as root:wheel, to the root of the drive.
#!/bin/bash
tail -f -n 0 /var/log/system.log | grep -m 1 -E 'sudo\[[0-9]+\]:\s+'$USER
echo "Gonna play around with root privs ..."
sudo touch /kilroy-was-here
This seems... Wrong... Thoughts?
Daniel
MacBook Air, OS X El Capitan (10.11.6), null
