[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[mituc@iasi.rdsnet.ro: pam limits drops privileges]

Sounds strange to me... but I'm forwarding it here in case you
haven't seen it yet.


----- Forwarded message from Tarhon-Onu Victor <mituc@iasi.rdsnet.ro> -----

Date: Thu, 6 Sep 2001 00:37:52 +0300 (EEST)
From: Tarhon-Onu Victor <mituc@iasi.rdsnet.ro>
To: <bugtraq@securityfocus.com>
Subject: pam limits drops privileges

	Tested with: RedHat Linux
		pam-0.74-22, pam-0.75-7, util-linux-2.10s,
		util-linux-2.10s-12, in any combination.
	Posted on: Bugzilla and Pam-Bugs.
	Distribution dependent: dunno, but I think it's a pam bug.

	Problem description: If there are any limits set for a group of
users then those users, logging in by any method using /bin/login (console
login, telnet, etc) can get privileges of the last user last logged in
via ssh (we're using openssh).
	How to reproduce:
	# groupadd testgroup
	# useradd testuser -g testgroup
	# echo '@testgroup  -  maxlogins  2'
	ssh (let's say) as root into your box, then telnet into it and
login as testuser... and enjoy.

	I think this is a big problem because It's difficult to manage a
>200 users system without group/user limits.

Tarhon-Onu Victor
Network and System Engineer
RDS Iasi - Network Operations Center
Phone: +40-32-218385

----- End forwarded message -----

Olaf Kirch         |  --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de  |    / | \   sol.dhoop.naytheet.ah kin.ir.samse.qurax
okir@caldera.de    +-------------------- Why Not?! -----------------------
         UNIX, n.: Spanish manufacturer of fire extinguishers.            

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []