--On Wednesday, November 19, 2003 12:00 PM -0500 [EMAIL PROTECTED] wrote:
There is a work-around for this vulnerability of course - actually several.
1. Never use sudo (not particularly practical).
2. Never put your box to sleep after a sudo unless at least 5 minutes (or whatever your interval is set to) have passed.
3. Issue either the 'sudo -k' command or the 'sudo -K' command before putting your box to sleep - make it a habit no matter if you remember issuing an ordinary sudo recently or not - 'just in case'.
4. Change your sudo settings to require a password each time you use it:
timestamp_timeout Number of minutes that can elapse before sudo will ask for a passwd again. The default is 5. Set this to 0 to always prompt for a password. If set to a value less than 0 the user's timestamp will never expire. This can be used to allow users to create or delete their own timestamps via sudo -v and sudo -k respectively.
5. Require password on wake from sleep (which seems like an all around good idea anyway)?
Also replicated on my 10.3 powerbook, fwiw.
--
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html