From owner-freebsd-ports  Wed Mar 15 18:52:26 2000
Delivered-To: freebsd-ports@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
	by hub.freebsd.org (Postfix) with ESMTP
	id 7DBF837BA1C; Wed, 15 Mar 2000 18:52:24 -0800 (PST)
	(envelope-from kris@FreeBSD.org)
Received: from localhost (kris@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id SAA30839;
	Wed, 15 Mar 2000 18:52:24 -0800 (PST)
	(envelope-from kris@FreeBSD.org)
X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs
Date: Wed, 15 Mar 2000 18:52:22 -0800 (PST)
From: Kris Kennaway <kris@FreeBSD.org>
To: Chris Piazza <cpiazza@jaxon.net>
Cc: FreeBSD Ports <ports@FreeBSD.org>, jedgar@FreeBSD.org
Subject: Re: [SECURITY] Serious problems with the wdm port
In-Reply-To: <20000315173129.A5272@norn.ca.eu.org>
Message-ID: <Pine.BSF.4.21.0003151846390.30224-100000@freefall.freebsd.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-ports@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Wed, 15 Mar 2000, Chris Piazza wrote:

> Hi,
> 
> The wdm port was recently upgraded to 1.20.  Okay, that's fine.  Except
> if you enable pam using USE_PAM it does some pretty weird things.
> 
> 1. It installs and grabs its PAM information from /etc/pam.d/wdm.  Uh..
>    what is that?

RedSplat installs the pam config files there. Actually that makes some
sense because it lets ports install their own PAM config like this one
tried to (lucky for us it didn't :)

> 2. This is the security problem.  By default it uses this for PAM modules:
> 
> #%PAM-1.0
> auth       sufficient   /usr/lib/pam_permit.so
> account    sufficient   /usr/lib/pam_permit.so
> session    sufficient   /usr/lib/pam_permit.so

Ack! That certainly seems stupid, unless I'm misunderstanding something
(i.e. for each of the 3 PAM types, if any of the sufficient entries
evaluate true it passes authentication, and this will always happen
because pam_permit.so always returns boolean true).

> The only reason I found this was because the modules I'd listed in 
> /etc/pam.conf (the RIGHT place) weren't even being used.

Nice spotting. So this looks like a general problem with the port - but am
I right that since it doesn't actually modify the pam config on FreeBSD
it's not directly a problem for us (only if someone copies the default?)

Kris

----
In God we Trust -- all others must submit an X.509 certificate.
    -- Charles Forsythe <forsythe@alum.mit.edu>



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message