Re: pam module that allows users to write their own configuration

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Dnia 23-05-2008 o godz. 19:33 Tomas Mraz napisał(a):
> On Fri, 2008-05-23 at 17:28 +0200, Frankie Boy wrote:
> > Thorsten Kukuk wrote:
> > > On Fri, May 23, Frankie Boy wrote:
> > >
> > >   
> > >> On Fri, May 23, Thorsten Kukuk wrote:
> > >>
> > >>     
> > >>> On Fri, May 23, Frankie Boy wrote:
> > >>>
> > >>>       
> > >>>> Hello!
> > >>>>
> > >>>> Me and my friend started to develop a PAM-module which moves the
> > >>>> configuration-process responsibility from system administrator to system
> > >>>> users.
> > >>>> Every system user is able to configure his own pam-modules stack for
> > >>>> authentication.
> > >>>>         
> > >>> Hm, isn't that a big security risk? This would allow an user
> > >>> to configure a very weak authentication schema, which allows
> > >>> hacker to crack this account very fast ...
> 
> I agree with Thorsten that it is not a good idea at all. Note that the
> modules will run under root account and many of the modules (although
> rather session modules than auth modules) do things which if setup wrong
> or even with malicious intentions can do even other bad things to other
> accounts than that one of the user which set this up. This could be
> fixed by changing to the uid of the user before calling the user
> configured PAM stack but there is still a big potential for problems
> anyway.
> --

Yes, i am glad you are talking about this, we did it already.
Our module has configuration file in which system administrator 
determines which modules will run with Super user ID and which will run 
with uid of user which is authenticated.

Administrator might also define which modules are banned and wont run at 
all (this is the default behaviour).
He can also define different behavior for different users services and 
pam functions.

for ex functions from auth group of pam_unix on my system runs without 
root id and functions from account need it.


This solution of course mean that not all modules have to be available 
to users, but just those which have sense here.


regards, Franciszek Wawrzak

----------------------------------------------------
Jesteś maksismakowity, arcyprzystojny, megamądry? Jesteś jak polski
INDIANA JONES?:) Przyślij nam swoje zdjęcie, weź udział w KONKURSIE.
Wygraj maczety, kapelusze, kompasy, gadżety z filmu i inne smaczki.
klik: http://klik.wp.pl/?adr=http%3A%2F%2Fcorto.www.wp.pl%2Fas%2Findianakonkurs.html&sid=363


_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux