[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
PAM access policy may be circumvented
From: |
Marc Singer |
Subject: |
PAM access policy may be circumvented |
Date: |
Fri, 10 Oct 2003 12:31:06 -0700 |
User-agent: |
Mutt/1.5.4i |
The current PAM patch allows for a failed PAM authentication check to
fall back on checking the passwd file using the normal
check_password() call. If the PAM policy is to deny access to CVS for
that user, the fall back may grant access if the user has an account
on the host--even if that user's account has an invalid shell and,
therefore, cannot access CVS any other way.
This patch establishes PAM, when available, as the sole method for
granting access (to pserver). Since PAM can be setup to grant access
through the passwd database, there ought to be no loss of functionality.
--- server.c-original 2003-10-10 12:09:30.000000000 -0700
+++ server.c 2003-10-10 12:21:15.000000000 -0700
@@ -5901,8 +5901,10 @@
host_user = check_pam_password (username, descrambled_password,
repository);
#endif /* HAVE_PAM */
+#ifndef HAVE_PAM
if(NULL == host_user)
host_user = check_password (username, descrambled_password,
repository);
+#endif
if (host_user == NULL)
{
- PAM access policy may be circumvented,
Marc Singer <=