[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Follow up question...
|
From: |
xystrus |
|
Subject: |
Re: Follow up question... |
|
Date: |
Thu, 4 Apr 2002 19:21:49 -0500 |
|
User-agent: |
Mutt/1.3.27i |
On Wed, Apr 03, 2002 at 06:50:03AM -0800, Jeff Bailey wrote:
> Follow up question:
>
> If pop3d and imap4d wind up installed SUID, should we somehow
> dissallow --pam-service=STRING when not being run by root? That could
> be an interesting security hole.
Why do you need this facility at all? The proper way to control what
authentication modules are used is to make sure the appropriate modules are
installed in the system's PAM module directory, and provide the
configuration in the system's PAM configuration directory. All of those
things, the files and the directories that contain them, should be writable
only by root. Providing any mechanisms to circumvent that is only asking
for trouble.
Now I have to amend my previous statement a bit... I was considering remote
vulnerabilities only, not local ones. Installing a program SUID does make
it a lot more likely that you'll introduce a local root compromise.
However, any time a user is allowed to interact with a process that runs
with root priviledges, you must be very careful and perform an audit of all
aspects of how the program interacts with the user. This is why many people
prefer that mail programs not run as root at all, but run SGID mail.
To answer your question though, yes. If you install the program such that a
regular user can start it with root priviledges, you should definitely not
allow the user to specify the PAM service. That pretty much guarantees a
root compromise.
Xy