Re: Vulnerability in Terminal.app

[Matt Burnett <marukka () mac com>]

In order for someone to exploit this they wouldn¹t they need physical
access? And if they had physical access they could simple just boot into
single user mode (enabled by default), or off a cd (enabled by default), or
simply steal the machine.

On 11/19/03 12:27 PM, "hays () ibiblio org" <hays () ibiblio org> wrote:

> --On Wednesday, November 19, 2003 12:00 PM -0500
> full-disclosure-request () lists netsys com wrote:
>
> > > There is a work-around for this vulnerability of course - actually
> > > several.
> > >
> > > 1. Never use sudo (not particularly practical).
> > >
> > > 2. Never put your box to sleep after a sudo unless at least 5 minutes
> > > (or whatever your interval is set to) have passed.
> > >
> > > 3. Issue either the 'sudo -k' command or the 'sudo -K' command before
> > > putting your box to sleep - make it a habit no matter if you remember
> > > issuing an ordinary sudo recently or not - 'just in case'.
> >
> > 4. Change your sudo settings to require a password each time you use it:
> >
> >     timestamp_timeout
> >                 Number of minutes that can elapse before sudo will ask for
> >                 a passwd again.  The default is 5.  Set this to 0 to
> > always                 prompt for a password.  If set to a value less
> > than 0 the                 user's timestamp will never expire.  This can
> > be used to                 allow users to create or delete their own
> > timestamps via                 sudo -v and sudo -k respectively.
>
> 5. Require password on wake from sleep (which seems like an all around good
> idea anyway)?
>
> Also replicated on my 10.3 powerbook, fwiw.
>
> --
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html