[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Re[2]: Debian PAM



ES>> Well, not exactly. libc has been there for a much longer time
ES>> and is in use in much more places than the PAM stuff, so one can
ES>> perfectly believe that the chances of (security-related) bugs
ES>> exist in libc is significantly lower.

In a perfect world, maybe. In fact, I remember only one security-issue
with PAM:

http://geek-girl.com/bugtraq/1998_4/0704.html

and even this one was more faulty module issue than PAM issue, and RH
wasn't vulnerable either. And really, really many bugs connected with
libc on various platforms. For example:

http://geek-girl.com/bugtraq/1997_4/0528.html
http://geek-girl.com/bugtraq/1996_3/0261.html
http://geek-girl.com/bugtraq/1997_1/0244.html
http://geek-girl.com/bugtraq/1997_1/0159.html
http://geek-girl.com/bugtraq/1996_1/0042.html

Talk about chances... 

In fact, I don't see a way to correctly implement security policies across
many applications without use of something like PAM (see also
http://geek-girl.com/bugtraq/1999_1/0357.html, from the second paragraph).

You may look also on recent SSH thread on Bugtraq, where SSH had problems
with account expiration/locking exactly because they *didn't* use PAM. 
-- 
frodo@sharat.co.il	\/  There shall be counsels taken
Stanislav Malyshev	/\  Stronger than Morgul-spells
phone +972-2-6245112	/\  		JRRT LotR.
http://sharat.co.il/frodo/	whois:!SM8333