Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 15 Mar 2000 18:52:22 -0800 (PST)
From:      Kris Kennaway <kris@FreeBSD.org>
To:        Chris Piazza <cpiazza@jaxon.net>
Cc:        FreeBSD Ports <ports@FreeBSD.org>, jedgar@FreeBSD.org
Subject:   Re: [SECURITY] Serious problems with the wdm port
Message-ID:  <Pine.BSF.4.21.0003151846390.30224-100000@freefall.freebsd.org>
In-Reply-To: <20000315173129.A5272@norn.ca.eu.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, 15 Mar 2000, Chris Piazza wrote:

> Hi,
> 
> The wdm port was recently upgraded to 1.20.  Okay, that's fine.  Except
> if you enable pam using USE_PAM it does some pretty weird things.
> 
> 1. It installs and grabs its PAM information from /etc/pam.d/wdm.  Uh..
>    what is that?

RedSplat installs the pam config files there. Actually that makes some
sense because it lets ports install their own PAM config like this one
tried to (lucky for us it didn't :)

> 2. This is the security problem.  By default it uses this for PAM modules:
> 
> #%PAM-1.0
> auth       sufficient   /usr/lib/pam_permit.so
> account    sufficient   /usr/lib/pam_permit.so
> session    sufficient   /usr/lib/pam_permit.so

Ack! That certainly seems stupid, unless I'm misunderstanding something
(i.e. for each of the 3 PAM types, if any of the sufficient entries
evaluate true it passes authentication, and this will always happen
because pam_permit.so always returns boolean true).

> The only reason I found this was because the modules I'd listed in 
> /etc/pam.conf (the RIGHT place) weren't even being used.

Nice spotting. So this looks like a general problem with the port - but am
I right that since it doesn't actually modify the pam config on FreeBSD
it's not directly a problem for us (only if someone copies the default?)

Kris

----
In God we Trust -- all others must submit an X.509 certificate.
    -- Charles Forsythe <forsythe@alum.mit.edu>



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0003151846390.30224-100000>