[Bug 165919] Review Request: pam_ssh Pluggable Authentication Module for ssh
bugzilla at redhat.com
bugzilla at redhat.com
Mon Aug 15 16:01:55 UTC 2005
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
Summary: Review Request: pam_ssh Pluggable Authentication Module for ssh
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=165919
------- Additional Comments From pertusus at free.fr 2005-08-15 12:01 EST -------
Regarding the permissions on the /var/run/pam_ssh/ files there is a use for a
file readable by the user. Indeed if the user log through a mean without the
pam_ssh module used he still can use the agent by sourcing the file.
Now as to have a file the user may modify the aim would be to let the user
manage the pam_ssh related files. Also this shouldn't have security implications
(related with ssh) as it is how things are currently done; the user may
manipulate the environment anyway.
In my opinion the difference is that now the files are in /var/run/pam_ssh and
not in the user home directory. So having files or dirs owned by the users may
create issues because of that. For example if there is a directory owned by a
user as I described above the user may fill the var file system. And if the user
is the file owner he should be able to change the permissions, thus may for
example permit other users to read or modify it or change the perms such that
the file is unreadable (although this last change should not be a big deal).
Using /var/run which should be local to the computer is good, but not allowing
the user to tweak the files created by pam_ssh is an important departure from
the upstream so I think this should be certain that it is needed.
--
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
More information about the fedora-extras-list
mailing list