Full Disclosure mailing list archives
Re: Vulnerability in Terminal.app
From: hays () ibiblio org
Date: Wed, 19 Nov 2003 13:27:51 -0500
--On Wednesday, November 19, 2003 12:00 PM -0500 full-disclosure-request () lists netsys com wrote:
There is a work-around for this vulnerability of course - actually several. 1. Never use sudo (not particularly practical). 2. Never put your box to sleep after a sudo unless at least 5 minutes (or whatever your interval is set to) have passed. 3. Issue either the 'sudo -k' command or the 'sudo -K' command before putting your box to sleep - make it a habit no matter if you remember issuing an ordinary sudo recently or not - 'just in case'.4. Change your sudo settings to require a password each time you use it: timestamp_timeout Number of minutes that can elapse before sudo will ask for a passwd again. The default is 5. Set this to 0 to always prompt for a password. If set to a value less than 0 the user's timestamp will never expire. This can be used to allow users to create or delete their own timestamps via sudo -v and sudo -k respectively.
5. Require password on wake from sleep (which seems like an all around good idea anyway)?
Also replicated on my 10.3 powerbook, fwiw. -- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Vulnerability in Terminal.app rixstep (Nov 19)
- Re: Vulnerability in Terminal.app Gwendolynn ferch Elydyr (Nov 19)
- Re: Vulnerability in Terminal.app rixstep (Nov 19)
- Re: Vulnerability in Terminal.app Charles E. Hill (Nov 19)
- <Possible follow-ups>
- Re: Vulnerability in Terminal.app hays (Nov 19)
- Re: Vulnerability in Terminal.app Matt Burnett (Nov 19)
- Re: Vulnerability in Terminal.app Timo Schoeler (Nov 19)
- Re: Vulnerability in Terminal.app Matt Burnett (Nov 19)
- Re: Vulnerability in Terminal.app Gwendolynn ferch Elydyr (Nov 19)