modified /etc/sudoers

[davidlv]

The latest version of etracheck, v2.41 highlights "modified /etc/sudoers" in red on my MP 2009, (firmware update to 5,1), running 10.10.5. Is this serious, and what can be done?

 

[CoastalOR]

The latest version of etracheck, v2.41 highlights "modified /etc/sudoers" in red on my MP 2009, (firmware update to 5,1), running 10.10.5. Is this serious, and what can be done?

Please copy & paste the entire Etrecheck 2.4.1 report so we can see the exact error and hopefully help.

FYI, I downloaded the new Etrecheck 2.4.1 with the new "Checks for modified /etc/sudoers file" feature and ran it on my 2015 MBP OS 10.10.4. There were no red modified /etc/sudoers errors reported. I wanted to see if there might be a bug in the new 2.4.1 and Yosemite. I do plan to update the Mac mini 2014 to 10.10.5 tomorrow. It might be interesting to run Etrecheck 2.4.1 on the newly updated 10.10.5 to see if it has a modified /etc/sudoers errors with it.

 

[davidlv]

Please copy & paste the entire Etrecheck 2.4.1 report so we can see the exact error and hopefully help.

FYI, I downloaded the new Etrecheck 2.4.1 with the new "Checks for modified /etc/sudoers file" feature and ran it on my 2015 MBP OS 10.10.4. There were no red modified /etc/sudoers errors reported. I wanted to see if there might be a bug in the new 2.4.1 and Yosemite. I do plan to update the Mac mini 2014 to 10.10.5 tomorrow. It might be interesting to run Etrecheck 2.4.1 on the newly updated 10.10.5 to see if it has a modified /etc/sudoers errors with it.

Here is the error from Etrecheck 2.4.1: (copy and paste shows it in black here, but the "/etc/sudoers" and "Anywhere" were in red)
Configuration files: (What does this mean?)
/etc/sudoers - Modified
Gatekeeper: (What does this mean?)
Anywhere
I am wondering if this is in anyway related to the "sudo trimforce enable" command I used to enable trim for the 256 GB SSD in my MP.

 

[MacUser2525]

Here is the error from Etrecheck 2.4.1: (copy and paste shows it in black here, but the "/etc/sudoers" and "Anywhere" were in red)
Configuration files: (What does this mean?)
/etc/sudoers - Modified
Gatekeeper: (What does this mean?)
Anywhere
I am wondering if this is in anyway related to the "sudo trimforce enable" command I used to enable trim for the 256 GB SSD in my MP.

No that is a command usage of sudo it can never modify the sudoers file, it is modified using the visudo command below is a stock file from Apple run the cat command shown and compare them.

MacUser2525:~$ sudo cat /etc/sudoers
Password:
# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
# Failure to use 'visudo' may result in syntax or file permission errors
# that prevent sudo from running.
#
# See the sudoers man page for the details on how to write a sudoers file.
#

# Host alias specification

# User alias specification

# Cmnd alias specification

# Defaults specification
Defaults   env_reset
Defaults   env_keep += "BLOCKSIZE"
Defaults   env_keep += "COLORFGBG COLORTERM"
Defaults   env_keep += "__CF_USER_TEXT_ENCODING"
Defaults   env_keep += "CHARSET LANG LANGUAGE LC_ALL LC_COLLATE LC_CTYPE"
Defaults   env_keep += "LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME"
Defaults   env_keep += "LINES COLUMNS"
Defaults   env_keep += "LSCOLORS"
Defaults   env_keep += "SSH_AUTH_SOCK"
Defaults   env_keep += "TZ"
Defaults   env_keep += "DISPLAY XAUTHORIZATION XAUTHORITY"
Defaults   env_keep += "EDITOR VISUAL"
Defaults   env_keep += "HOME MAIL"

# Runas alias specification

# User privilege specification
root   ALL=(ALL) ALL
%admin   ALL=(ALL) ALL

# Uncomment to allow people in group wheel to run all commands
# %wheel   ALL=(ALL) ALL

# Same thing without a password
# %wheel   ALL=(ALL) NOPASSWD: ALL

# Samples
# %users  ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users  localhost=/sbin/shutdown -h now

 

[davidlv]

No that is a command usage of sudo it can never modify the sudoers file, it is modified using the visudo command below is a stock file from Apple run the cat command shown and compare them.

MacUser2525:~$ sudo cat /etc/sudoers
Password:
# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
# Failure to use 'visudo' may result in syntax or file permission errors
# that prevent sudo from running.
#
# See the sudoers man page for the details on how to write a sudoers file.
#

# Host alias specification

# User alias specification

# Cmnd alias specification

# Defaults specification
Defaults   env_reset
Defaults   env_keep += "BLOCKSIZE"
Defaults   env_keep += "COLORFGBG COLORTERM"
Defaults   env_keep += "__CF_USER_TEXT_ENCODING"
Defaults   env_keep += "CHARSET LANG LANGUAGE LC_ALL LC_COLLATE LC_CTYPE"
Defaults   env_keep += "LC_MESSAGES LC_MONETARY LC_NUMERIC LC_TIME"
Defaults   env_keep += "LINES COLUMNS"
Defaults   env_keep += "LSCOLORS"
Defaults   env_keep += "SSH_AUTH_SOCK"
Defaults   env_keep += "TZ"
Defaults   env_keep += "DISPLAY XAUTHORIZATION XAUTHORITY"
Defaults   env_keep += "EDITOR VISUAL"
Defaults   env_keep += "HOME MAIL"

# Runas alias specification

# User privilege specification
root   ALL=(ALL) ALL
%admin   ALL=(ALL) ALL

# Uncomment to allow people in group wheel to run all commands
# %wheel   ALL=(ALL) ALL

# Same thing without a password
# %wheel   ALL=(ALL) NOPASSWD: ALL

# Samples
# %users  ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users  localhost=/sbin/shutdown -h now

Thanks. Ran that command, only thing that looks different is as shown below; after the "HOME MAIL" entry:
an empty line then:
Defaults lecture_file = "/etc/sudo_lecture"
Have no idea what that is....

 

[MacUser2525]

Thanks. Ran that command, only thing that looks different is as shown below; after the "HOME MAIL" entry:
an empty line then:
Defaults lecture_file = "/etc/sudo_lecture"
Have no idea what that is....

Nor do I and quite a rare event a one hit google search result don't believe I have ever seen that before. Even then nothing applying to the lecture part in that post, you may want to use the visudo and remove that line, being lecture in the line I would think it is some kind of talking at you type response that is made when it invoked. Lecturing you about the use of sudo most likely still get rid of it and run the etracheck again to see if the warning goes away.

https://www.google.ca/search?q=Defa..._lecture"&gws_rd=cr&ei=O4TTVaCBCMzk-QGcspDQBw

 

[davidlv]

Nor do I and quite a rare event a one hit google search result don't believe I have ever seen that before. Even then nothing applying to the lecture part in that post, you may want to use the visudo and remove that line, being lecture in the line I would think it is some kind of talking at you type response that is made when it invoked. Lecturing you about the use of sudo most likely still get rid of it and run the etracheck again to see if the warning goes away.

https://www.google.ca/search?q=Defaults+lecture_file+=+"/etc/sudo_lecture"&gws_rd=cr&ei=O4TTVaCBCMzk-QGcspDQBw

OK Tried that, using the visudo -c command, got a "can't open /private/etc/sudoers: Permission denied" error. I have run the Repair permissions function in both Disk Utility and Onyx, so I don't understand what is going on there. May try booting to the recovery partition and repair them from there.

 

[MacUser2525]

OK Tried that, using the visudo -c command, got a "can't open /private/etc/sudoers: Permission denied" error. I have run the Repair permissions function in both Disk Utility and Onyx, so I don't understand what is going on there. May try booting to the recovery partition and repair them from there.

Well you still have to be root when editing so that would have been sudo visudo for the command.

 

[davidlv]

Well you still have to be root when editing so that would have been sudo visudo for the command.

OK, that works. Now, after using the back delete to erase that line, how do I save the edits? Simply quit the terminal session or something else? Sorry for the basic help questions!

 

[MacUser2525]

OK, that works. Now, after using the back delete to erase that line, how do I save the edits? Simply quit the terminal session or something else? Sorry for the basic help questions!

You are using vi when editing it so the sequence :wq followed by the enter key will put you in command mode then write and quit the file all at the same time.

Edit: Hit the esc key a couple of times before typing in that to make sure you are out of an edit or delete mode you may be in when getting rid of the line.

 

[the bug]

This may or may not be related, but you may have been hit by this exploit :

https://blog.malwarebytes.org/mac/2015/08/dyld_print_to_file-exploit-found-in-the-wild/

- Jay

 

[davidlv]

You are using vi when editing it so the sequence :wq followed by the enter key will put you in command mode then write and quit the file all at the same time.

Edit: Hit the esc key a couple of times before typing in that to make sure you are out of an edit or delete mode you may be in when getting rid of the line.

1. On my MBP: Followed your instructions, deleted that line with lecture in it, hit esc 2 times, typed in the :wq command, and that seems to have worked/ However, etracheck still shows that red error.
2. On the MP; before I read your instructions, I simply quit terminal, which evidently left a temporary file behind. I assume I can just delete that file, then edit out the extra line using the sudo visudo command, etc.
I can't access the MP until later, so I'll post the result of that afterwards.
I think I may have to use the cat command again, copy every thing and post it here, there may be something other than the "lecture" line prompts that error in etracheck.
BTW, thanks so much for your time and effort, much appreciated.
I am not well versed in using these tools, as you can gather, and it is all a little daunting.
I have run Malwarebytes, and it shows no infections, so I wonder if that etracheck error is really worth worrying about.

 

[MacUser2525]

1. On my MBP: Followed your instructions, deleted that line with lecture in it, hit esc 2 times, typed in the :wq command, and that seems to have worked/ However, etracheck still shows that red error.
2. On the MP; before I read your instructions, I simply quit terminal, which evidently left a temporary file behind. I assume I can just delete that file, then edit out the extra line using the sudo visudo command, etc.
I can't access the MP until later, so I'll post the result of that afterwards.
I think I may have to use the cat command again, copy every thing and post it here, there may be something other than the "lecture" line prompts that error in etracheck.
BTW, thanks so much for your time and effort, much appreciated.
I am not well versed in using these tools, as you can gather, and it is all a little daunting.
I have run Malwarebytes, and it shows no infections, so I wonder if that etracheck error is really worth worrying about.

If that program is using some kind of checksum or perhaps modification date then by the contents having changed it will always error. The Malwarebytes showing nothing is a good sign I would check to see if the file is actually on the system.

MacUser2525:~$ ls -l /etc/sudo_lecture
ls: /etc/sudo_lecture: No such file or directory

With perhaps these commands as well.

file /etc/sudo_lecture
cat /etc/sudo_lecture

The first will tell you what the system thinks the type of file if it exists is and of course the second will quickly show the contents. With the cat if you see text scrolling by then that would be fine if it looks like gibberish with funky characters it would mean it is a binary file which would concern me especially with you not knowing where it has come from.

 

[davidlv]

If that program is using some kind of checksum or perhaps modification date then by the contents having changed it will always error. The Malwarebytes showing nothing is a good sign I would check to see if the file is actually on the system.

MacUser2525:~$ ls -l /etc/sudo_lecture
ls: /etc/sudo_lecture: No such file or directory

With perhaps these commands as well.

file /etc/sudo_lecture
cat /etc/sudo_lecture

The first will tell you what the system thinks the type of file if it exists is and of course the second will quickly show the contents. With the cat if you see text scrolling by then that would be fine if it looks like gibberish with funky characters it would mean it is a binary file which would concern me especially with you not knowing where it has come from.

Thanks again. I think I got this sorted, well mostly. I deleted the /etc/sudo_lecture file, and safely edited the sudoers file using visudo (it quit without any syntax errors using the :wq command). In addition to the Defaults lecture_file = "/etc/sudo_lecture" line, I found a line naming three ADMINS, none with my admin name. I edited that to have only my name. Etracheck still gives that red modified error, but that may be OK now, as I did modify it.
How did this all get started, is the only remaining question, ... I think.
As previously, Malwarebytes says there is no adware or malware on my system, and 10.10.5 runs very smoothly on my old MP (AMD 5770 and 2.66GHz 4-core CPU).

 

[MacUser2525]

Thanks again. I think I got this sorted, well mostly. I deleted the /etc/sudo_lecture file, and safely edited the sudoers file using visudo (it quit without any syntax errors using the :wq command). In addition to the Defaults lecture_file = "/etc/sudo_lecture" line, I found a line naming three ADMINS, none with my admin name. I edited that to have only my name. Etracheck still gives that red modified error, but that may be OK now, as I did modify it.
How did this all get started, is the only remaining question, ... I think.
As previously, Malwarebytes says there is no adware or malware on my system, and 10.10.5 runs very smoothly on my old MP (AMD 5770 and 2.66GHz 4-core CPU).

Well how it got there is the question if this machine has been in your possession for its life then something/someone put it and the other changes there. Now if it was my machine scorched earth would be my approach with it wipe it and re-install bringing over none of the files from the old install. But that could just be me as you say scanning it for problems shows none so if you feel comfortable with that approach continue on.

 

[davidlv]

Well how it got there is the question if this machine has been in your possession for its life then something/someone put it and the other changes there. Now if it was my machine scorched earth would be my approach with it wipe it and re-install bringing over none of the files from the old install. But that could just be me as you say scanning it for problems shows none so if you feel comfortable with that approach continue on.

Scorched earth is rather drastic, and reinstalling everything means about a day or 2 of work! I may just boot up from another disk, delete the /private folder on the target disk, and then run 10.10.5 installer.

 

[MacUser2525]

Scorched earth is rather drastic, and reinstalling everything means about a day or 2 of work! I may just boot up from another disk, delete the /private folder on the target disk, and then run 10.10.5 installer.

Yes definitely drastic but that is just me. Once something like that happens on a machine I am working on that is it. Now people do not like the idea of having to go through setting it all back up but I will err on the side of not re-importing the problem every time. But then again it is not my problem I caught one virus decades ago and learned my lesson well backups, backups and more backups just in case the first couple fail and never run untrusted source or let these stupid programs run on your machine like so many seem to do. In short I am paranoid as hell about my data and do everything in my power to protect it.

 

[davidlv]

Yes definitely drastic but that is just me. Once something like that happens on a machine I am working on that is it. Now people do not like the idea of having to go through setting it all back up but I will err on the side of not re-importing the problem every time. But then again it is not my problem I caught one virus decades ago and learned my lesson well backups, backups and more backups just in case the first couple fail and never run untrusted source or let these stupid programs run on your machine like so many seem to do. In short I am paranoid as hell about my data and do everything in my power to protect it.

I know where you are coming from about backups, I have 2 external CCC clones for each computer I own. Saved me countless hours many times. In the MP, I have 2 internal clones as well, which I also use to store large installers etc.
Thanks again for your help with the etracheck issue.