Rixstep
 About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Home » Learning Curve

TTY Tickets

Closing the sudo piggyback hole.


Get It

Try It

There's a hole in the default behaviour of sudo in OS X: the 'grace period' (the time until you need to submit your password again) is not tied to a 'TTY' but to you as a user.

It's been dubbed the 'sudo piggyback hole': should rogue code be running on your system (a rogue Dashboard widget for example) it can periodically try to 'piggyback' on your 'grace period' and create a root shell of its own.

The default grace period for sudo is five minutes; all rogue code has to do is try to escalate every four minutes and fifty seconds. Sooner or later, if you ever use sudo, you will be toast. The bread will burn.

There is a way around this however: tie the grace period not to a user but to a 'TTY'. A 'TTY' is a specific 'terminal' or 'login'. ('TTY' stands for 'teletype', the original terminal device used on Unix.)

Try the following experiment on your computer now.

  1. If Terminal is open, close it.

  2. Open a single Terminal window.

  3. Type in sudo -k and hit Enter. This will kill the sudo time stamp if there is one.

  4. Issue the following command.

    sudo ls

    (You will be prompted for your password; submit it.)

  5. Leave the current Terminal window open and open a second Terminal window. Try the same command again:

    sudo ls

    Because you invoked sudo within the grace period, you were not prompted again for your password, even though your two Terminal windows are running on different TTYs.

To plug the hole, do the following:

  1. If Terminal is open, close it.

  2. Open a single Terminal window.

  3. Type in the following. ('<Esc>' is the <Esc> key; when prompted for your password, give it.)

    sudo visudo
    /^# Defaults
    oDefaults tty_tickets
    <Esc>:x

Now try the experiment again: you should be prompted in both Terminal windows for your password, no matter the grace period is still in effect.

About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Copyright © Rixstep. All rights reserved.