Full Disclosure mailing list archives
Re: Vulnerability in Terminal.app
From: Matt Burnett <marukka () mac com>
Date: Wed, 19 Nov 2003 14:58:33 -0600
In order for someone to exploit this they wouldn¹t they need physical access? And if they had physical access they could simple just boot into single user mode (enabled by default), or off a cd (enabled by default), or simply steal the machine. On 11/19/03 12:27 PM, "hays () ibiblio org" <hays () ibiblio org> wrote:
--On Wednesday, November 19, 2003 12:00 PM -0500 full-disclosure-request () lists netsys com wrote:There is a work-around for this vulnerability of course - actually several. 1. Never use sudo (not particularly practical). 2. Never put your box to sleep after a sudo unless at least 5 minutes (or whatever your interval is set to) have passed. 3. Issue either the 'sudo -k' command or the 'sudo -K' command before putting your box to sleep - make it a habit no matter if you remember issuing an ordinary sudo recently or not - 'just in case'.4. Change your sudo settings to require a password each time you use it: timestamp_timeout Number of minutes that can elapse before sudo will ask for a passwd again. The default is 5. Set this to 0 to always prompt for a password. If set to a value less than 0 the user's timestamp will never expire. This can be used to allow users to create or delete their own timestamps via sudo -v and sudo -k respectively.5. Require password on wake from sleep (which seems like an all around good idea anyway)? Also replicated on my 10.3 powerbook, fwiw. -- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Vulnerability in Terminal.app rixstep (Nov 19)
- Re: Vulnerability in Terminal.app Gwendolynn ferch Elydyr (Nov 19)
- Re: Vulnerability in Terminal.app rixstep (Nov 19)
- Re: Vulnerability in Terminal.app Charles E. Hill (Nov 19)
- <Possible follow-ups>
- Re: Vulnerability in Terminal.app hays (Nov 19)
- Re: Vulnerability in Terminal.app Matt Burnett (Nov 19)
- Re: Vulnerability in Terminal.app Timo Schoeler (Nov 19)
- Re: Vulnerability in Terminal.app Matt Burnett (Nov 19)
- Re: Vulnerability in Terminal.app Gwendolynn ferch Elydyr (Nov 19)