pam module that allows users to write their own configuration
Tomas Mraz
tmraz at redhat.com
Fri May 23 17:33:33 UTC 2008
On Fri, 2008-05-23 at 17:28 +0200, Frankie Boy wrote:
> Thorsten Kukuk wrote:
> > On Fri, May 23, Frankie Boy wrote:
> >
> >
> >> On Fri, May 23, Thorsten Kukuk wrote:
> >>
> >>
> >>> On Fri, May 23, Frankie Boy wrote:
> >>>
> >>>
> >>>> Hello!
> >>>>
> >>>> Me and my friend started to develop a PAM-module which moves the
> >>>> configuration-process responsibility from system administrator to system
> >>>> users.
> >>>> Every system user is able to configure his own pam-modules stack for
> >>>> authentication.
> >>>>
> >>> Hm, isn't that a big security risk? This would allow an user
> >>> to configure a very weak authentication schema, which allows
> >>> hacker to crack this account very fast ...
I agree with Thorsten that it is not a good idea at all. Note that the
modules will run under root account and many of the modules (although
rather session modules than auth modules) do things which if setup wrong
or even with malicious intentions can do even other bad things to other
accounts than that one of the user which set this up. This could be
fixed by changing to the uid of the user before calling the user
configured PAM stack but there is still a big potential for problems
anyway.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
More information about the Pam-list
mailing list