With recent adware attacks exploiting a vulnerability in OS X and giving themselves sudo permissions without the user providing a password, we thought it’d be a good idea to have FT2 show you info on the Sudo permissions file. This feature has been added in today’ update, FT2 v1.68.

The file in question, sudoers, lives in the (usually) hidden /private/etc folder at the root of your hard drive. Most ordinary users won’t have cause to go digging around in there and probably don’t even know it exists. However, sudoers is the file that determines who can get admin access in the shell (aka ‘the Terminal’), and adding a user to the sudoers file gives them pretty much a carte blanche over the system.

It appears that Apple have already taken steps to block the recent attack, and the next version of OS X (likely due out next month) will restrict what even sudoers can do to the system (although not to the user). Nevertheless, we think it’s good idea to have an easy visual check as to whether the sudoers file has been modified or not. You can find the sudoers information in the Analyser just before the System section (marked by the green dashed line).

Be aware that it is entirely possible that if an attacker gains access to your system, they could not only modify the sudoers file, but completely replace it with a new one. That’d give a new creation date but no modification date. With that in mind, it’s worth checking just when the file was created. Running the public release of OS X Yosemite, build 14E46 (you can find the build number in FastTasks menu), my default sudoers file has a creation date of 2014-09-10. If you are running a different build of Yosemite or OS X you may see a different date. Obviously, if you have modified (or given an app or process permission to modify) the file, that will cause you to see different dates also.