On Sun, May 19, 2002 at 11:36:11AM -0400, Sam Hartman wrote: > >>>>> "Theodore" == Theodore Ts'o <tytso@MIT.EDU> writes: > > Theodore> My recommendation would be to control the behaviour > Theodore> based on a module-arguments in the pam.conf/pam.d entry. > Theodore> I'd also make the default be to not follow symlinks, > Theodore> since it could potentially cause a security exposure > Theodore> (even in the pam_listfile case), so it should be one of > > How do you have a security exposure with symlinks in this case? > > Also, I tend to disagree that at least for the case of pam_listfile > > having an option to control the behavior is appropriate. Either > you're willing to trust the administrator or you are not. I haven't checked pam_listfile, but if it's not checking the write permissions and ownerships of the file and of the containing directory, you're right, there's not much point. I'd argue, though, that's it's worthwhile to add such sanity checks. I view checks like this as safety-mechanisms that prevent a lawnmower blade from spinning if the lawnmower is lifted off the ground. It turns out that people were trying to use a lawnmover to trim hedges, losing their grip and dropping the lawnmower, and losing a foot in the process. A few lawsuits later, manufacturers elected to improve the product by adding these safety checks. Now, one could argue that people who are stupid enough to try to trim hedges with their lawnmowers deserve what they get, and this is "evolution in action", but (a) you generally can't catch them before they breed, and (b) losing a foot doesn't stop them from breeding (it would be different if they dropped the lawnmower on a different part of their anatomy, but that doesn't tend to happen :-), and (c) just simply costs society money in terms of supporting the idiots who can no longer work. In any case, given the average intelligence of the average Linux administrator, the more safety checks we can add, the better. The bottom line is no, I don't trust the administrator, and so being able to force them to read the (F******) man page to find out how to disable the safety check is a good thing. - Ted
