Re: PAM authentication patch

bug-cvs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PAM authentication patch - v2

From:	Steve McIntyre
Subject:	Re: PAM authentication patch - v2
Date:	Tue, 1 Jul 2003 01:19:27 +0100
User-agent:	Mutt/1.5.4i

On Mon, Jun 30, 2003 at 09:17:36PM +0200, Brian Murphy wrote:
>Derek Robert Price wrote:
>
>>Hey Brian,
>>
>>I've been putting you off for a long time, haven't I?
>
>Indeed.
>
>>Sorry about that. Anyway, would you mind forwarding me the most recent 
>>version of your patch?  I've been looking through my email, but it was 
>>rather messy and I want to make sure I got the right patch.
>>
>See attachment for patch and changelog entries.

Cool patch - I see you've spent a lot more effort on the docs than I
did in mine (most recent against 1.12.1 attached for reference). Just
one point that worries me - you only hardcode the pam service name if
specifically configured that way, otherwise you just use the
program_name. This is very dangerous and is specifically warned
against in the PAM documentation I've read. If a user can sym-link to
your CVS binary and use another name (easily done), they then get the
option of using whichever PAM config they want. That's a security hole
waiting to happen!

-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
Support the Campaign for Audiovisual Free Expression: http://www.eff.org/cafe/

60_PAM_support
Description: Text document

[Prev in Thread]

Current Thread

[Next in Thread]

Re: PAM authentication patch - v2, Brian Murphy, 2003/06/30
- Re: PAM authentication patch - v2, Matt Doar, 2003/06/30
- Re: PAM authentication patch - v2, Steve McIntyre <=

Prev by Date: Re: 1.11.6 Update broken
Next by Date: Mail delivery failed: returning message to sender
Previous by thread: Re: PAM authentication patch - v2
Index(es):
- Date
- Thread