[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: userid and groups questions



On Thu, 23 Sep 1999, Stephen Langasek wrote:

> On 23 Sep 1999 tvaughan@aventail.com wrote:
> 
> > Let's say in order to be authenticated, someone has to provide three sets
> > of credentials: a one-time password, a Social Security Number, and a static
> > password. But if each of these modules is allowed to get and set the userid
> > and the user id is set after all authentication modules have been run, then
> > you could have something like:
> 
> >         User ID: alice
> >         alice's one-time password: 0x0f0f0f0f
> 
> >         User ID: alice
> >         alice's SSN: 555-55-5555
> 
> >         User ID: bob
> >         bob's password: gr8passwd
> 
> >         <set user id = bob>
> 
> >         Welcome to service bob.
> 
> > Which means in order to compromise an identity, all I have to do is
> > compromise the last authentication module.
> 
> Ok, I give up.  Why would a module that's checking a user's SSN change the
> userid?
> 
> Just because someone could conceivably write a braindead/malicious PAM
> module that changes userids when it shouldn't, or because an administrator
> could misconfigure his PAM settings so that there are exploitable loopholes,
> doesn't mean that modules shouldn't be /able/ to change the uid.  And
> realistically, if the application runs as root there's not much libpam can
> do anyway to stop a module from changing the uid if that's what the module
> writer thinks needs to happen.

My 2c. Because authenication is an issue, and setting credentials (like an
UID) is a different one. Just think what would be to change all the
applications that get the uid from a getpwnam(). This is really not PAM's
job. I really like PAM because you can stack multiple modules, and check
IF the user has a valid password IN PASSWD OR ELSEWHERE, AND IF the user
is in a list of valid users AND IF there is not a /etc/nologin file etc.
This is just perfect. After this, trying to convince PAM to FORCE the
application to accept a proposed credential is science fiction. 

Think it this way. Some applications don't need a UID at all, but still
want to authenticate the user, and only that.

I don't think I understand your last statement. What do you mean by
'there's not much libpam can do anyway to stop a module from changing the
uid if that's what the module writer thinks needs to happen'? How can a
module change a uid, when the module does not have the idea of an UID?

This is really nss's job, to hook getXXbyYY and getpw{nam,uid} to get the
uid from a good place.

Cheers,
Misa



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []