On Sat, May 18, 2002 at 09:26:30PM -0400, Sam Hartman wrote: > > One area in which Debian's PAM differs from the CVS mainline is that > we have applied a few patches to loosen file checks. In particular, > for pam_rhosts, we allow .rhosts to be a symlink; similarly we allow > the file for pam_listfile to be a symlink. > > It's my opinion that Debian actually shouldn't have done this as a > local change; too gratuitous of a difference. So I'm asking what > people think about allowing symlinks in the upstream sources. My recommendation would be to control the behaviour based on a module-arguments in the pam.conf/pam.d entry. I'd also make the default be to not follow symlinks, since it could potentially cause a security exposure (even in the pam_listfile case), so it should be one of those things that the user should have to explicitly ask for in the pam configuration file. - Ted
