On Sun, 2003-08-03 at 19:08, Henrik Nordstrom wrote:
> On Sunday 03 August 2003 10.51, Robert Collins wrote:
>
> > I've applied this patch - I don't think there is significant risk
> > in it being suid - but we can back it out if needed..
>
> The risk is that it punches a hole in the security restrictions of
> PAM, allowing any local user to verify any local users password.
>
> Normally users are only allowed to verify their own passwords via PAM
> (used by lock screen functions etc), while only root is allowed to
> verify other users passwords. This restriction is to prevent
> automated guessing of passwords at high rates.
You can limit the risk by making it only accessible to group squid.
Also, you have the inherit risk that the PAM modules might not be fully
setuid safe - let alone the helper itself. (pam modules might
incorrectly assume the protections and care taken by 'su').
I think this really should be up to the admin - it should be clearly
documented, but if you are using something like pam_winbind, you don't
need this, or the risks it exposes. If we don't supply the a default
pam config file, then we shouldn't add the setuid by default. (If we
do, then we should set it appropriate for the file as listed)
Andrew Bartlett
-- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:20:26 MST