lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
From: hays at ibiblio.org (hays@...blio.org)
Subject: Vulnerability in Terminal.app


--On Wednesday, November 19, 2003 12:00 PM -0500 
full-disclosure-request@...ts.netsys.com wrote:

>> There is a work-around for this vulnerability of course - actually
>> several.
>>
>> 1. Never use sudo (not particularly practical).
>>
>> 2. Never put your box to sleep after a sudo unless at least 5 minutes
>> (or whatever your interval is set to) have passed.
>>
>> 3. Issue either the 'sudo -k' command or the 'sudo -K' command before
>> putting your box to sleep - make it a habit no matter if you remember
>> issuing an ordinary sudo recently or not - 'just in case'.
>
> 4. Change your sudo settings to require a password each time you use it:
>
>     timestamp_timeout
>                 Number of minutes that can elapse before sudo will ask for
>                 a passwd again.  The default is 5.  Set this to 0 to
> always                 prompt for a password.  If set to a value less
> than 0 the                 user's timestamp will never expire.  This can
> be used to                 allow users to create or delete their own
> timestamps via                 sudo -v and sudo -k respectively.

5. Require password on wake from sleep (which seems like an all around good 
idea anyway)?

Also replicated on my 10.3 powerbook, fwiw.

--



Powered by blists - more mailing lists