OSX can be root compromised by a trojan application. The trojan application does not require explicit user authentication to elevate its privileges to root, nor does the root account need to be enabled. The Trojan application must be run from an account that is in the admin group, which is the default for the first account created and the context in which most users run. Once executed, the trojan application must only wait until the user leverages the sudo utility, either at the command line or by another application that leverages sudo to elevate it’s privileges.

Ich habe dann mal das sudo Logging zu secure.log umgeleitet und die Sessions an das jeweilige tty gebunden. Besser ist besser…

Das ganze Advisory bei Security Focus.

(via: Powerbook Blog)