Sounds strange to me... but I'm forwarding it here in case you
haven't seen it yet.
Olaf
----- Forwarded message from Tarhon-Onu Victor <mituc@iasi.rdsnet.ro> -----
Date: Thu, 6 Sep 2001 00:37:52 +0300 (EEST)
From: Tarhon-Onu Victor <mituc@iasi.rdsnet.ro>
To: <bugtraq@securityfocus.com>
Subject: pam limits drops privileges
Tested with: RedHat Linux
pam-0.74-22, pam-0.75-7, util-linux-2.10s,
util-linux-2.10s-12, in any combination.
Posted on: Bugzilla and Pam-Bugs.
Distribution dependent: dunno, but I think it's a pam bug.
Problem description: If there are any limits set for a group of
users then those users, logging in by any method using /bin/login (console
login, telnet, etc) can get privileges of the last user last logged in
via ssh (we're using openssh).
How to reproduce:
# groupadd testgroup
# useradd testuser -g testgroup
# echo '@testgroup - maxlogins 2'
ssh (let's say) as root into your box, then telnet into it and
login as testuser... and enjoy.
I think this is a big problem because It's difficult to manage a
>200 users system without group/user limits.
--
Tarhon-Onu Victor
Network and System Engineer
RDS Iasi - Network Operations Center
Phone: +40-32-218385
----- End forwarded message -----
--
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
okir@caldera.de +-------------------- Why Not?! -----------------------
UNIX, n.: Spanish manufacturer of fire extinguishers.
