Re: [Full-Disclosure] Vulnerability in Terminal.app

[Matt Burnett <marukka@mac.com>]

In order for someone to exploit this they wouldn¹t they need physical
access? And if they had physical access they could simple just boot into
single user mode (enabled by default), or off a cd (enabled by default), or
simply steal the machine.

On 11/19/03 12:27 PM, "hays@ibiblio.org" <hays@ibiblio.org> wrote:

> 
> 
> --On Wednesday, November 19, 2003 12:00 PM -0500
> full-disclosure-request@lists.netsys.com wrote:
> 
>>> There is a work-around for this vulnerability of course - actually
>>> several.
>>> 
>>> 1. Never use sudo (not particularly practical).
>>> 
>>> 2. Never put your box to sleep after a sudo unless at least 5 minutes
>>> (or whatever your interval is set to) have passed.
>>> 
>>> 3. Issue either the 'sudo -k' command or the 'sudo -K' command before
>>> putting your box to sleep - make it a habit no matter if you remember
>>> issuing an ordinary sudo recently or not - 'just in case'.
>> 
>> 4. Change your sudo settings to require a password each time you use it:
>> 
>>     timestamp_timeout
>>                 Number of minutes that can elapse before sudo will ask for
>>                 a passwd again.  The default is 5.  Set this to 0 to
>> always                 prompt for a password.  If set to a value less
>> than 0 the                 user's timestamp will never expire.  This can
>> be used to                 allow users to create or delete their own
>> timestamps via                 sudo -v and sudo -k respectively.
> 
> 5. Require password on wake from sleep (which seems like an all around good
> idea anyway)?
> 
> Also replicated on my 10.3 powerbook, fwiw.
> 
> --
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html