[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re[4]: Debian PAM
"Stanislav Malyshev a.k.a Frodo" <frodo@sharat.co.il> wrote:
> ES>> Well, not exactly. libc has been there for a much longer time
> ES>> and is in use in much more places than the PAM stuff, so one can
> ES>> perfectly believe that the chances of (security-related) bugs
> ES>> exist in libc is significantly lower.
>
> In a perfect world, maybe. In fact, I remember only one security-issue
> with PAM:
>
> http://geek-girl.com/bugtraq/1998_4/0704.html
>
> and even this one was more faulty module issue than PAM issue, and RH
> wasn't vulnerable either. And really, really many bugs connected with
> libc on various platforms. For example:
>
> http://geek-girl.com/bugtraq/1997_4/0528.html
> http://geek-girl.com/bugtraq/1996_3/0261.html
> http://geek-girl.com/bugtraq/1997_1/0244.html
> http://geek-girl.com/bugtraq/1997_1/0159.html
> http://geek-girl.com/bugtraq/1996_1/0042.html
>
> Talk about chances...
OK, first, the number of bugs found in a package is proportional, in
addition to all other factors, to the number of its users; which is
definitely higher for libc as compared to PAM.
As well, I think, the bugs of libc you mention (at least part of them) would
open security holes anyway, whether PAM is used or not - the authentication
is not the only stuff that uses suid excutables. So it's not a fair
comparison.
> In fact, I don't see a way to correctly implement security policies
> across
> many applications without use of something like PAM (see also
> http://geek-girl.com/bugtraq/1999_1/0357.html, from the second
> paragraph).
Of course, I agree, that the idea of PAM is great and this is the way to go
eventually.
Regards,
Evgeny
--
____________________________________________________________
/ Evgeny Stambulchik <fnevgeny@plasma-gate.weizmann.ac.il> \
/ Plasma Laboratory, Weizmann Institute of Science, Israel \ \
| Phone : (972)8-934-3610 == | == FAX : (972)8-934-3491 | |
| URL : http://plasma-gate.weizmann.ac.il/~fnevgeny/ | |
| Finger for PGP key >=====================================+ |
|______________________________________________________________|