PAM access policy may be circumvented

bug-cvs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PAM access policy may be circumvented

From:	Marc Singer
Subject:	PAM access policy may be circumvented
Date:	Fri, 10 Oct 2003 12:31:06 -0700
User-agent:	Mutt/1.5.4i

The current PAM patch allows for a failed PAM authentication check to
fall back on checking the passwd file using the normal
check_password() call.  If the PAM policy is to deny access to CVS for
that user, the fall back may grant access if the user has an account
on the host--even if that user's account has an invalid shell and,
therefore, cannot access CVS any other way.

This patch establishes PAM, when available, as the sole method for
granting access (to pserver).  Since PAM can be setup to grant access
through the passwd database, there ought to be no loss of functionality.


--- server.c-original   2003-10-10 12:09:30.000000000 -0700
+++ server.c    2003-10-10 12:21:15.000000000 -0700
@@ -5901,8 +5901,10 @@
         host_user = check_pam_password (username, descrambled_password, 
repository);
 #endif /* HAVE_PAM */
 
+#ifndef HAVE_PAM 
     if(NULL == host_user)
         host_user = check_password (username, descrambled_password, 
repository);
+#endif
 
     if (host_user == NULL)
     {

[Prev in Thread]

Current Thread

[Next in Thread]

PAM access policy may be circumvented, Marc Singer <=
- PAM access policy may be circumvented, Brian Murphy, 2003/10/11
  - Re: PAM access policy may be circumvented, Marc Singer, 2003/10/11
    - Re: PAM access policy may be circumvented, Brian Murphy, 2003/10/12
    - Re: PAM access policy may be circumvented, Steve McIntyre, 2003/10/12

Prev by Date: Re: cleanup_register() uses its argument in contradictory ways
Next by Date: patch for some POSIX 1003.1-2001 compliance bugs in CVS
Previous by thread: cleanup_register() uses its argument in contradictory ways
Next by thread: PAM access policy may be circumvented
Index(es):
- Date
- Thread