[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: further modifications to mod_auth_pam.c



On Tue, 6 May 1997, Michael K. Johnson wrote:

> 
> Chris Dent writes:
> >My modifications allow the
> >pam service name to be listed in the .htaccess file[...]
> 
> How secure is this practice?  I've noticed that this has been added
> to several applications; I have a policy of not putting this capability
> in apps that I've pamified for Red Hat Linux because I'm of the opinion
> that putting this choice anywhere where users can get at it is a bad
> idea.

You make a good point. In my usage of the module I've been making the
following basic assumption:

  The web server has to run as root when doing pam_auth (this _is_ true
  isn't it?) so I'm running it in a tightly locked down situation where
  no one has access to HTML or CGI directories except for admin type
  people who (should) know what they are doing. Unless someone is
  being very careless there won't be any "AuthPamName theeasywayin"
  where theeasywayin is pam_permit. In fact in my case the web server
  is set up to reject everything but requests into one directory.

  I don't have any wide open services in pam.conf.

Also, I had to have a way to allow additional htaccess methods besides
PAM on the server. With the module configured the way it was, all auth
had to go through PAM. Doing AuthPamName gave something to depend that
on along with an added does of flexibility. Enough rope and all
that...

> I can't say that it would be exploitable, but I worry about it.  Have
> people been carefully considering this issue before adding this feature
> to apps?

..........................
Chris Dent........SysAdmin
...........Kiva Networking



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []