Filter
Top Products
128 Chapter 8 Working with Users and Groups
Note: There is a timeout value associated with the sudo tool. This value indicates the
number of minutes until the sudo tool prompts for a password again. The default value
is 5, which means that after issuing the
sudo command and entering the correct
password, additional
sudo commands can be entered for 5 minutes without re-
entering the password. This value is set in the /etc/sudoers file. See the sudo and
sudoers man pages for more information.
3 In the Defaults specification section of the file, add the following line:
Defaults timestamp_timeout=0
4 Restrict which administrators are allowed to run the sudo tool by removing the line that
begins with %admin, and adding the following entry for each user, substituting the
user’s short name for the word
user
:
user
ALL=(ALL) ALL
Doing this will mean that any time a new administrator is added to a system, that
administrator must be added to the /etc/sudoers file as described above if that
administrator requires the ability to use the sudo tool.
5 Save and quit visudo.
See the vi and visudo man pages for more information.
Securing Single-User Boot
On Apple computers running Mac OS X, Open Firmware is the software executed
immediately after the computer is powered on. This boot firmware is analogous to the
BIOS on an x86-based PC. To prevent users from obtaining root access by booting into
single user mode or booting from other disks, the Open Firmware settings should be
altered. For desktop computers, the Open Firmware security mode should be set to
command. To configure the Open Firmware settings, use the nvram tool.
To set the variable security mode, enter the following command:
$ nvram security-mode=“command”
In command mode, the computer will boot from the boot device specified in the
computer’s boot device variable and disallow users from providing any boot
arguments.
To test that the computer has been put into command mode as recommended:
1 Close all applications and choose Restart from the Apple menu.
2 A confirmation window will pop up. Restart the computer by clicking the Restart
button.
3 Hold down the key combination Command-S while the computer boots.
4 If the command mode has been set correctly, the computer will display the Mac OS X
login window. Normally, holding down the Command-S key combination while starting
up would cause the computer to start up in single-user mode.