[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PAM authentication patch - v2

From: Steve McIntyre
Subject: Re: PAM authentication patch - v2
Date: Tue, 1 Jul 2003 01:19:27 +0100
User-agent: Mutt/1.5.4i

On Mon, Jun 30, 2003 at 09:17:36PM +0200, Brian Murphy wrote:
>Derek Robert Price wrote:
>>Hey Brian,
>>I've been putting you off for a long time, haven't I?
>>Sorry about that. Anyway, would you mind forwarding me the most recent 
>>version of your patch?  I've been looking through my email, but it was 
>>rather messy and I want to make sure I got the right patch.
>See attachment for patch and changelog entries.

Cool patch - I see you've spent a lot more effort on the docs than I
did in mine (most recent against 1.12.1 attached for reference). Just
one point that worries me - you only hardcode the pam service name if
specifically configured that way, otherwise you just use the
program_name. This is very dangerous and is specifically warned
against in the PAM documentation I've read. If a user can sym-link to
your CVS binary and use another name (easily done), they then get the
option of using whichever PAM config they want. That's a security hole
waiting to happen!

Steve McIntyre, Cambridge, UK.                                steve@einval.com
Support the Campaign for Audiovisual Free Expression: http://www.eff.org/cafe/

Attachment: 60_PAM_support
Description: Text document

reply via email to

[Prev in Thread] Current Thread [Next in Thread]