[X-Unix] Re: Root Exploit via sudo

Kuestner, Bjoern Bjoern.Kuestner at drkw.com
Tue Apr 12 05:58:15 PDT 2005 

> if you simply change the place where sudo logs to, 
> the security hazard is removed without added inconvenience.

I think you have to not only change the place but also 
a) secure that a script cannot easily read from a config file the new
location
b) better, secure the permission for the new log file.

Even then I'm not sure if that is secure enough for the paranoid (does not
include me). But as the devil's advocate I could imagine a script that tries
to run a sudo command every four minutes. I don't think you're blocked in
any way if you fail with a sudo attempt. So sooner or later an attempt will
succeed because the user happened to use sudo 2 minutes before that.

I guess the only secure way for OS X and other Unixish systems is to remove
the grace period after a sudo command.

This person suggested the same:
http://blog.wishingline.com/archives/2005_04.php#000590
>>
Open up the sudoers file in a new window via: sudo pico /etc/sudoers. 
Go to the Defaults section of the file and add the following bits:

Defaults:ALL !syslog 
Defaults:ALL logfile=/var/log/secure.log 
Defaults:ALL timestamp_timeout=0 
Defaults:ALL tty_tickets

Adding these items will change where authentication attempts are logged, the
sudo timeout will be set to zero instead of the 5-minute default and the
password grace period will be set to a local tty session and not globally.

Save the file and run the next command to verify your changes: sudo visudo
-c. 
<<

Bjorn



_______________________________________________
X-Unix mailing list
X-Unix at listserver.themacintoshguy.com
http://listserver.themacintoshguy.com/mailman/listinfo/x-unix

Listmom is trying to clean out his closets! Vintage Mac and random stuff:
         http://search.ebay.com/_W0QQsassZmacguy1984









































--------------------------------------------------------------------------------
The information contained herein is confidential and is intended solely for the
addressee. Access by any other party is unauthorised without the express 
written permission of the sender. If you are not the intended recipient, please 
contact the sender either via the company switchboard on +44 (0)20 7623 8000, or
via e-mail return. If you have received this e-mail in error or wish to read our
e-mail disclaimer statement and monitoring policy, please refer to 
http://www.drkw.com/disc/email/ or contact the sender. 3166
--------------------------------------------------------------------------------

More information about the X-Unix mailing list