|
|
Remove insecure root 'grace period' from sudo
Yes insults does not really need to be there. I just did a copy paste of what my servers have set.
Remove insecure root 'grace period' from sudo
By default, you've got "timestamp_timeout" amount of time from a password prompt to invoke "sudo" again without being prompted for a password.
With "tty_tickets", you're ticket is only good on a single TTY, if you change TTYs but are still within the timeout period, you'll have to type your password. So, by setting "timestamp_timeout" to 0, you must always enter a password, even if you do two sudos in a row on the same TTY:
tty_tickets isn't much help in securing things, because all Cocoa/Carbon apps run under the same TTY ("console"). So the only way to prevent something from taking advantage of you authenticating an installer is to clear the timeout and key the password multiple times instead. It Would Be Nice if you could set up timestamp_timeout on "console" to 0, but keep it at several minutes for /dev/tty*, so that your Terminal.app, xterm, iTerm.app, and so on windows work as usual. And yes, this is all standard-on-all-UNIXes behavior of sudo. The unusual thing is the way Apple has automatic sudo in several spots in the GUI. (And I'll give them credit for just using sudo, rather than inventing yet another tool for the job. Though it did expose the timestamp_timeout risk in a way that most sudo-ers don't anticipate--I've tightened up sudo on all my systems as a result.)
Remove insecure root 'grace period' from sudo
THANX for the clarification. |
SearchFrom our Sponsor...Latest Mountain Lion HintsWhat's New:HintsNo new hintsComments last 2 daysLinks last 2 weeksNo recent new linksWhat's New in the Forums?
Hints by TopicNews from Macworld
From Our Sponsors |
|
Copyright © 2014 IDG Consumer & SMB (Privacy Policy) Contact Us All trademarks and copyrights on this page are owned by their respective owners. |
Visit other IDG sites: |
|
|
|
Created this page in 0.09 seconds |
|