Re: Vulnerability in Terminal.app

[hays () ibiblio org]

--On Wednesday, November 19, 2003 12:00 PM -0500 
full-disclosure-request () lists netsys com wrote:

> > There is a work-around for this vulnerability of course - actually
> > several.
> >
> > 1. Never use sudo (not particularly practical).
> >
> > 2. Never put your box to sleep after a sudo unless at least 5 minutes
> > (or whatever your interval is set to) have passed.
> >
> > 3. Issue either the 'sudo -k' command or the 'sudo -K' command before
> > putting your box to sleep - make it a habit no matter if you remember
> > issuing an ordinary sudo recently or not - 'just in case'.
>
> 4. Change your sudo settings to require a password each time you use it:
>
>     timestamp_timeout
>                 Number of minutes that can elapse before sudo will ask for
>                 a passwd again.  The default is 5.  Set this to 0 to
> always                 prompt for a password.  If set to a value less
> than 0 the                 user's timestamp will never expire.  This can
> be used to                 allow users to create or delete their own
> timestamps via                 sudo -v and sudo -k respectively.

5. Require password on wake from sleep (which seems like an all around good 
idea anyway)?

Also replicated on my 10.3 powerbook, fwiw.

--


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html