[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: PAM exec patch to allow PAM_AUTHTOK to be exported.
- To: Dag-Erling Smørgrav <des_(_at_)_des_(_dot_)_no>
- Subject: Re: PAM exec patch to allow PAM_AUTHTOK to be exported.
- From: "Zane C.B." <v_(_dot_)_velox_(_at_)_vvelox_(_dot_)_net>
- Date: Sun, 20 May 2007 13:24:10 -0400
- Cc: FreeBSD Security <freebsd-security_(_at_)_freebsd_(_dot_)_org>
On Sun, 20 May 2007 19:10:33 +0200
Dag-Erling Smørgrav <des_(_at_)_des_(_dot_)_no> wrote:
> "Zane C.B." <v_(_dot_)_velox_(_at_)_vvelox_(_dot_)_net> writes:
> > Dag-Erling Smørgrav <des_(_at_)_des_(_dot_)_no> writes:
> >> Your patch opens a gaping security hole. Sensitive information
> >> should never be placed in the environment.
> > Unless I am missing something, this is only dangerous if one is
> > doing something stupid with what ever is being executed by
> > pam_exec.
>
> Environment variables may be visible to other processes and users
> through e.g. /proc.
Cool. Forgot about /proc. Is definitely a issue. Hmmm, any ideas in
the area of passing it then?
My current thoughts are along the lines of passing it through stdin
currently.
_______________________________________________
freebsd-security_(_at_)_freebsd_(_dot_)_org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe_(_at_)_freebsd_(_dot_)_org"
Visit your host, monkey.org