Rixstep
 About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Home » Learning Curve

The Zero Time Stamp Timeout

When only 100% protection is good enough.


Get It

Try It

This all starts at the following URL. If you're not familiar with the article, check it out now and then come back.

http://adbas.net/OSX_Vuln.txt

Two Things

There are two curious anomalies about the use of sudo on OS X.

  1. The default is to use TTY tickets; Apple have evidently rewritten the source code to make them not the default.

  2. The manpage for sudoers, a part of the FreeBSD documentation, has been removed from OS X.

There is presently no explanation for either of these anomalies. The pertinent manpage can nevertheless be found at the FreeBSD site - see below.

Moving to zero time stamp timeouts means each privilege escalation will require a submission of password - there will be no so-called 'grace periods'. The article above makes it patently clear that interlopers can coast in - 'piggyback' - at any time, and in fact with less of the sophistication than author of the article thinks is necessary.

It becomes painfully clear that nothing short of zero time stamp timeouts offers 100% protection. To configure a system for zero time stamp timeouts, it is necessary to modify the sudoers file.

This is a touchy job, but fortunately there are tools on board which protect you from errors and make your work safer. After that, all you have to do is follow the instructions.

Configuring sudoers

sudoers is easy to configure if you know vi, and it doesn't take long to learn enough vi to do it. You invoke 'visudo', not vi, and this is important: if you make a syntax error, sudo will not be able to run and you will have to boot into single user mode to correct it.

All you do is type the following and you're up and editing.

sudo visudo

Once you're in sudoers, navigate down with your arrow keys to the following line.

# Defaults specification

Hit 'o' on your keyboard. This opens a new line after the line you're on. You can begin typing immediately. Type in the following.

Defaults:ALL timestamp_timeout=0

When you're finished editing, hit Escape to end the editing session, then ':w' plus Enter to write the file to disk, and finally ':q' plus Enter to quit visudo.

From now on you must authenticate with your password for every command.

CLIX will work with this system. Command lines with multiple commands separated by semicolons will still be prompted for your password, and CLIX will submit it each time.

See Also

http://www.freebsd.org/cgi/man.cgi?query=vi
http://www.freebsd.org/cgi/man.cgi?query=sudoers
http://macosxhints.com/comment.php?mode=display&sid=20050519125822728&pid=58336
http://macosxhints.com/comment.php?mode=display&sid=20050519125822728&pid=58348

About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Copyright © Rixstep. All rights reserved.