[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PAM access policy may be circumvented

From: Marc Singer
Subject: PAM access policy may be circumvented
Date: Fri, 10 Oct 2003 12:31:06 -0700
User-agent: Mutt/1.5.4i

The current PAM patch allows for a failed PAM authentication check to
fall back on checking the passwd file using the normal
check_password() call.  If the PAM policy is to deny access to CVS for
that user, the fall back may grant access if the user has an account
on the host--even if that user's account has an invalid shell and,
therefore, cannot access CVS any other way.

This patch establishes PAM, when available, as the sole method for
granting access (to pserver).  Since PAM can be setup to grant access
through the passwd database, there ought to be no loss of functionality.

--- server.c-original   2003-10-10 12:09:30.000000000 -0700
+++ server.c    2003-10-10 12:21:15.000000000 -0700
@@ -5901,8 +5901,10 @@
         host_user = check_pam_password (username, descrambled_password, 
 #endif /* HAVE_PAM */
+#ifndef HAVE_PAM 
     if(NULL == host_user)
         host_user = check_password (username, descrambled_password, 
     if (host_user == NULL)

reply via email to

[Prev in Thread] Current Thread [Next in Thread]