[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PAM authentication patch - v2

From: Brian Murphy
Subject: Re: PAM authentication patch - v2
Date: Tue, 15 Apr 2003 19:58:22 +0200
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020623 Debian/1.0.0-0.woody.1

You might also use the global program_name variable defined in src/main.c, instead. Then, when a user used a soft link called "mycvs" or a script was run which used exec to call CVS, program_name would be what the user (perhaps the administrator) set it to. I'm not sure whether that's a good thing when dealing with PAM or not, though I suspect it might not be. From src/main.c:

    /* On some systems, e.g. VMS, argv[0] is not the name of the command
       which the user types to invoke the program.  */
    program_name = "cvs";
    program_name = last_component (argv[0]);


Despite the dire warnings in the PAM documentation I can't see that using program_name is a problem. CVS is not installed suid root so it has no special priviledges unless it is run as root and you need to be root to do that. If cvs should ever become a daemon and run suid then this could be a problem. The service name determines the configuration file that gets user for PAM. If you are a local user already then even an unrestricted cvs cannot do more than you as a user can. And you still cannot change
what the cvs accessed via pserver is called.

Can anyone else see the problems I'm missing?


reply via email to

[Prev in Thread] Current Thread [Next in Thread]