[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Loosening file checks--a good idea?



>>>>> "Theodore" == Theodore Ts'o <tytso@MIT.EDU> writes:

    Theodore> My recommendation would be to control the behaviour
    Theodore> based on a module-arguments in the pam.conf/pam.d entry.
    Theodore> I'd also make the default be to not follow symlinks,
    Theodore> since it could potentially cause a security exposure
    Theodore> (even in the pam_listfile case), so it should be one of

How do you have a security exposure with symlinks in this case?

Also, I tend to disagree that at least for the case of pam_listfile

having an option to control the behavior is appropriate.  Either
you're willing to trust the administrator or you are not.





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []