Re: [patch] pam_auth has to be installed setuid root

From: Andrew Bartlett <abartlet@dont-contact.us>
Date: 03 Aug 2003 20:09:07 +1000

On Sun, 2003-08-03 at 19:08, Henrik Nordstrom wrote:
> On Sunday 03 August 2003 10.51, Robert Collins wrote:
>
> > I've applied this patch - I don't think there is significant risk
> > in it being suid - but we can back it out if needed..
>
> The risk is that it punches a hole in the security restrictions of
> PAM, allowing any local user to verify any local users password.
>
> Normally users are only allowed to verify their own passwords via PAM
> (used by lock screen functions etc), while only root is allowed to
> verify other users passwords. This restriction is to prevent
> automated guessing of passwords at high rates.

You can limit the risk by making it only accessible to group squid.
Also, you have the inherit risk that the PAM modules might not be fully
setuid safe - let alone the helper itself. (pam modules might
incorrectly assume the protections and care taken by 'su').

I think this really should be up to the admin - it should be clearly
documented, but if you are using something like pam_winbind, you don't
need this, or the risks it exposes. If we don't supply the a default
pam config file, then we shouldn't add the setuid by default. (If we
do, then we should set it appropriate for the file as listed)

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

Received on Sun Aug 03 2003 - 04:09:17 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:20:26 MST