[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: xlockmore (pam)



On Mon, 9 Sep 1996, Aleph One wrote:

> On Mon, 9 Sep 1996, Elliot Lee wrote:
> 
> > Has anyone thought of the efficiency implications of this approach? Sure,
> > I know Linux is supposed to be super-fast and all, but in My Real World
> > (e.g. my 8M home machine ;-) spawning off processes left and right is
> > probably not a good idea. As little overhead as possible should be
> > dedicated to authentication - decreasing its speed and increasing its
> > memory usage will slow down the system for this often-done operation. 
> > After all, not everyone is running a Turing machine... 
> 
> Security should come before efficiency.. at least on my book.

Right, but it should pay attention to efficiency IMHO. Big kludgy programs
are insecure programs.

> > What is wrong with just plain using getpwnam() and getspnam()? If they
> > fail then obviously you don't have read permissions 
>
> Simple. If using getpwname or getspname directly the application must be
> suid or sgid to whatever owns the shadow file. This means than any
> vulnerability in the program could cause a security breach.  It much
> easier to verify a small program whose only purpose it to handle the
> readin/writing to the shadow file that say verifying xlock. 

OK, got it. Makes sense.

The problem is defining a std interface to this program that will work
with a number of different auth methods. What about shadowed MD5 passwords
when they are kept in a separate file, for example? Or a custom
authentication database engine which only allows accesses from specific
users? 

Is this proposal just a program to use to access shadow passwords, or a
semi-official API for programs to get information from limited-access
authentication databases?

Hope this helps,

-- Elliot

"Have you ever had a microchip implanted in your skull so the government
can keep track of your every move? You will! And the company that will
bring it to you is AT&T"





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []