[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <BBE13599.CBF%marukka@mac.com>
From: marukka at mac.com (Matt Burnett)
Subject: Vulnerability in Terminal.app
In order for someone to exploit this they wouldn?t they need physical
access? And if they had physical access they could simple just boot into
single user mode (enabled by default), or off a cd (enabled by default), or
simply steal the machine.
On 11/19/03 12:27 PM, "hays@...blio.org" <hays@...blio.org> wrote:
>
>
> --On Wednesday, November 19, 2003 12:00 PM -0500
> full-disclosure-request@...ts.netsys.com wrote:
>
>>> There is a work-around for this vulnerability of course - actually
>>> several.
>>>
>>> 1. Never use sudo (not particularly practical).
>>>
>>> 2. Never put your box to sleep after a sudo unless at least 5 minutes
>>> (or whatever your interval is set to) have passed.
>>>
>>> 3. Issue either the 'sudo -k' command or the 'sudo -K' command before
>>> putting your box to sleep - make it a habit no matter if you remember
>>> issuing an ordinary sudo recently or not - 'just in case'.
>>
>> 4. Change your sudo settings to require a password each time you use it:
>>
>> timestamp_timeout
>> Number of minutes that can elapse before sudo will ask for
>> a passwd again. The default is 5. Set this to 0 to
>> always prompt for a password. If set to a value less
>> than 0 the user's timestamp will never expire. This can
>> be used to allow users to create or delete their own
>> timestamps via sudo -v and sudo -k respectively.
>
> 5. Require password on wake from sleep (which seems like an all around good
> idea anyway)?
>
> Also replicated on my 10.3 powerbook, fwiw.
>
> --
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists