[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: xdm conv function



Andrew Morgan writes:
>What's wrong with this is the way it works: it spawns a separate
>application to provide the PAM dialog box, and the PAM'd application
>needs to talk to it via a pair of pipes.

Actually, this isn't such a bad idea from a security standpoint.

Applications that are setuid, at least, probably shouldn't be
linked against large complex toolkits -- even if they are
audited once, they tend to change over time, and audits are
not perfect, so the larger the code base, the more chance for
a missed buffer overrun.  Using a seperate program that drops
root privs first thing and then talks over a pipe, there's
much less of a chance fo unintended buffer overruns.  That's
how we do all our graphical authentication in Red Hat Linux.
There's a wrapper in the usermode package, and although
a great deal of the code in there sucks, the setuid part has
been audited...  It's the way that gdm does it as well.

Of course, this doesn't apply when your authentication does
not involve transferable privs like setuid.  But there are
precious few PAM applications that don't involve some sort
of priviledge transfer.  :-)

michaelkjohnson

"Magazines all too frequently lead to books and should be regarded by the
 prudent as the heavy petting of literature."            -- Fran Lebowitz
 Linux Application Development     http://people.redhat.com/johnsonm/lad/



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []