[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: Pam-list Digest, Vol 34, Issue 4
- From: Andreas Schindler <schindler az1 de>
- To: pam-list redhat com
- Subject: Re: Pam-list Digest, Vol 34, Issue 4
- Date: Wed, 13 Dec 2006 08:30:34 +0100
pam-list-request redhat com wrote:
>
> Subject:
> Dropping privs by PAM modules.
> From:
> s_n <jusnet vp pl>
> Date:
> Mon, 11 Dec 2006 19:34:14 +0100
> To:
> pam-list redhat com
>
> To:
> pam-list redhat com
>
>
> Hi,
>
> I'm just wondering about dropping privilages by pam modules, does it
> make sense to you anyway? How to consider such behaviour, improved
> security or is it just security by obscurity? Anyway, imagine badly
> coded module, which can be circumvented by an attacker and used to
> launch his own code. Will dropping privs mitigate the possible loses
> coused by such malicious code? What are you thinking about it?
>
> Sincerly,
> Filip (s_n) Palian.
>
>
Filip,
IMHO i's good use to drop privileges when you don't need them, just to protect
you against your own coding-quirks. You can regain privileges at any time if
the need arises up to the user's base privilege level. To equip PAM modules
with root privileges there is no other way but using a helper process which
is made SUID. This construct is used by a few PAM modules, namely pam_unix to
cope with shadow password authentication.
Regards, Andreas
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]