Re: [patch] pam_auth has to be installed setuid root

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Sun, 3 Aug 2003 11:08:19 +0200

On Sunday 03 August 2003 10.51, Robert Collins wrote:

> I've applied this patch - I don't think there is significant risk
> in it being suid - but we can back it out if needed..

The risk is that it punches a hole in the security restrictions of
PAM, allowing any local user to verify any local users password.

Normally users are only allowed to verify their own passwords via PAM
(used by lock screen functions etc), while only root is allowed to
verify other users passwords. This restriction is to prevent
automated guessing of passwords at high rates.

Regards
Henrik
Received on Sun Aug 03 2003 - 03:08:52 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:20:25 MST