Remove insecure root 'grace period' from sudo

Jun 01, '05 10:19:00AM

Contributed by: jzdziarski

Whenever you authenticate on the system, a program called sudo is called to give your application or shell root privileges. Unfortunately, sudo includes a 'grace period,' wherein it will allow you to run privileged tasks repeatedly without a password. This presents a problem in OS X, where another application (such as a widget) could hijack your privileged access after you authenticate for some unrelated task (see this thread on macosx.com for more information about this particular vulnerability).

Fortunately, the grace period can be removed so that you will have to type your sudo password every time you want to perform a privileged task. This makes for a much more secure system, preventing other applications or widgets from being able to hijack this access. Simply add this line to your /etc/sudoers file:

Defaults:ALL timestamp_timeout=0
[robg adds: To edit the sudoers file, you'll need to use a special program called visudo, which must itself be run as root via sudo (got that?). So just type sudo visudo, and edit away (it's a version of vi).]

Comments (22)


Mac OS X Hints
http://hints.macworld.com/article.php?story=20050519125822728