[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Vulnerability in Terminal.app

To: full-disclosure@lists.netsys.com
Subject: Re: [Full-Disclosure] Vulnerability in Terminal.app
From: hays@ibiblio.org
Date: Wed, 19 Nov 2003 13:27:51 -0500

--On Wednesday, November 19, 2003 12:00 PM -0500 full-disclosure-request@lists.netsys.com wrote:

There is a work-around for this vulnerability of course - actually
several.

1. Never use sudo (not particularly practical).

2. Never put your box to sleep after a sudo unless at least 5 minutes
(or whatever your interval is set to) have passed.

3. Issue either the 'sudo -k' command or the 'sudo -K' command before
putting your box to sleep - make it a habit no matter if you remember
issuing an ordinary sudo recently or not - 'just in case'.

4. Change your sudo settings to require a password each time you use it:

    timestamp_timeout
                Number of minutes that can elapse before sudo will ask for
                a passwd again.  The default is 5.  Set this to 0 to
always                 prompt for a password.  If set to a value less
than 0 the                 user's timestamp will never expire.  This can
be used to                 allow users to create or delete their own
timestamps via                 sudo -v and sudo -k respectively.

5. Require password on wake from sleep (which seems like an all around good idea anyway)?

Also replicated on my 10.3 powerbook, fwiw.

--


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] Vulnerability in Terminal.app
  - From: Matt Burnett <marukka@mac.com>

Prev by Date: Re: [Full-Disclosure] Sidewinder G2
Next by Date: RE: [Full-Disclosure] Sidewinder G2 Thanks and a question or two
Previous by thread: Re: [Full-Disclosure] Vulnerability in Terminal.app
Next by thread: Re: [Full-Disclosure] Vulnerability in Terminal.app
Index(es):
- Date
- Thread