[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re[4]: Debian PAM



"Stanislav Malyshev a.k.a Frodo" <frodo@sharat.co.il> wrote:

>  ES>> Well, not exactly. libc has been there for a much longer time
>  ES>> and is in use in much more places than the PAM stuff, so one can
>  ES>> perfectly believe that the chances of (security-related) bugs
>  ES>> exist in libc is significantly lower.
>  
>  In a perfect world, maybe. In fact, I remember only one security-issue
>  with PAM:
>  
>  http://geek-girl.com/bugtraq/1998_4/0704.html
>  
>  and even this one was more faulty module issue than PAM issue, and RH
>  wasn't vulnerable either. And really, really many bugs connected with
>  libc on various platforms. For example:
>  
>  http://geek-girl.com/bugtraq/1997_4/0528.html
>  http://geek-girl.com/bugtraq/1996_3/0261.html
>  http://geek-girl.com/bugtraq/1997_1/0244.html
>  http://geek-girl.com/bugtraq/1997_1/0159.html
>  http://geek-girl.com/bugtraq/1996_1/0042.html
>  
>  Talk about chances... 

OK, first, the number of bugs found in a package is proportional, in
addition to all other factors, to the number of its users; which is
definitely higher for libc as compared to PAM.

As well, I think, the bugs of libc you mention (at least part of them) would
open security holes anyway, whether PAM is used or not - the authentication
is not the only stuff that uses suid excutables. So it's not a fair
comparison.

>  In fact, I don't see a way to correctly implement security policies
>  across
>  many applications without use of something like PAM (see also
>  http://geek-girl.com/bugtraq/1999_1/0357.html, from the second
>  paragraph).

Of course, I agree, that the idea of PAM is great and this is the way to go
eventually.

Regards,

Evgeny


--
   ____________________________________________________________
  / Evgeny Stambulchik  <fnevgeny@plasma-gate.weizmann.ac.il>  \
 /  Plasma Laboratory, Weizmann Institute of Science, Israel \  \
 |  Phone : (972)8-934-3610  == | == FAX   : (972)8-934-3491 |  |
 |  URL   :    http://plasma-gate.weizmann.ac.il/~fnevgeny/  |  |
 |  Finger for PGP key >=====================================+  | 
 |______________________________________________________________|