[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: PAM authentication patch - v2
From: |
Steve McIntyre |
Subject: |
Re: PAM authentication patch - v2 |
Date: |
Tue, 1 Jul 2003 16:30:32 +0100 |
User-agent: |
Mutt/1.3.28i |
On Tue, Jul 01, 2003 at 05:18:40PM +0200, Brian Murphy wrote:
>
>Steve McIntyre wrote:
>
>>did in mine (most recent against 1.12.1 attached for reference). Just
>>one point that worries me - you only hardcode the pam service name if
>>specifically configured that way, otherwise you just use the
>>program_name. This is very dangerous and is specifically warned
>>against in the PAM documentation I've read. If a user can sym-link to
>>your CVS binary and use another name (easily done), they then get the
>>option of using whichever PAM config they want. That's a security hole
>>waiting to happen!
>>
>Not really (a security hole). That is as long as you don't suid/sgid
>your cvs binary. If you do then you need to force the service name to
>something. If you don't then the only way of exploiting the security
>hole is to be the root user and root can do anything anyway. The cvs
>documentation explicitly states the use of CVS in suid mode is
>unsupported and evil (perhaps I extrapolate a little ;-)). Hence no
>problem.
It depends a lot on local config, to be honest. It's not just
setuid/setgid. With PAM people can configure the system to only allow
access to CVS for certain users, yet still (for example) host a POP
service or something else that gives access to more users than just
those in the passwd file. By sym-linking the cvs binary to a new name
(to match the POP server), suddenly people have access to CVS when
they should not. It's a little convoluted, but still a possible
hole. For my PAM support, I just hardcoded the service name to be
"cvs"; do you have a reason to do differently? I'm curious... :-)
--
Steve McIntyre, Cambridge, UK. steve@einval.com
Support the Campaign for Audiovisual Free Expression: http://www.eff.org/cafe/
- Re: PAM authentication patch - v2, Brian Murphy, 2003/07/01
- Re: PAM authentication patch - v2,
Steve McIntyre <=
- Re: PAM authentication patch - v2, Brian Murphy, 2003/07/17
- Re: PAM authentication patch - v2, Brian Murphy, 2003/07/17
- Message not available
- Re: PAM authentication patch - v2, Brian Murphy, 2003/07/17
- Re: PAM authentication patch - v2, Matt Doar, 2003/07/17
- Re: PAM authentication patch - v2, Derek Robert Price, 2003/07/18
- Re: PAM authentication patch - v2, Steve McIntyre, 2003/07/18
- Re: PAM authentication patch - v2, Derek Robert Price, 2003/07/18