Re: PAM exec patch to allow PAM_AUTHTOK to be exported.



Zane C.B. napsal/wrote, On 05/21/07 02:03:
3. want's to be PAM aware, but it's programmer is too lazy to write
it the clean way (as regular pam module) - we need the patch

The patch shall be rejected because the only purpose of it
is to support lazy programmers creating hacks instead of solutions.

Actually it does not support lazy programming, but makes life of a
makes life of a administrator easier.

The contrib/smbfs/mount_smbfs/mount_smbfs.c is very short and simple. Writing PAM module with same functionality require almost the same amount of time as patching it. In advance, you need catch not only pam_sm_session_open but pam_sm_session_close (i assume you plan to umount resource also). Unfortunately (unless I miss something) pam_exec has no way to pass about 'direction' to called program. You can't use simple heuristic "when not mounted mount it and vice versa" also because the same user can have more than one simultaneous active session.

The logic you need to implement seems to require much more coding than simple patch on either pam_exec nor mount_smbfs ...

pam_exec in chain more hurts than helps. IMHO, of course.

But further discussion about it seems not to be security related, so we should not continue here.

Dan


--
Dan Lukes SISAL MFF UK
AKA: dan at obluda.cz, dan at freebsd.cz, dan at (kolej.)mff.cuni.cz
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • Re: PAM exec patch to allow PAM_AUTHTOK to be exported.
    ... The patch shall be rejected because the only purpose of ... Writing PAM module with same functionality require ... would be best to check if there are any processes running owned by ...
    (freebsd-hackers)
  • Re: PAM exec patch to allow PAM_AUTHTOK to be exported.
    ... The better way is to add a few function into sources and convert the standalone binary into regular pam module. ... so it can't work with PAM data without source code change - patch doesn't help ... The patch shall be rejected because the only purpose of it is to support lazy programmers creating hacks instead of solutions. ... dan at obluda.cz, dan at freebsd.cz, dan at mff.cuni.cz ...
    (FreeBSD-Security)
  • Re: Microsofts New Program --- MAPP
    ... I wouldn't expert MS to show its hand to the end-user until later this year, Dan. ... air where Microsoft chooses one of 3 points in how a patch may affect a user ... moderate given its exploitability of high vulnerability in the attack vector ... compared to vulnerability 1 which is critical but has a low exploitability ...
    (microsoft.public.security)
  • Re: Win2k disabled after loading sasser patch
    ... Dan wrote: ... > potential problems with the update) the page where I dl'd the patch made ... > bold red print WARNING! ...
    (microsoft.public.win2000.setup)
  • Re: Win2k disabled after loading sasser patch
    ... Dan wrote: ... > potential problems with the update) the page where I dl'd the patch made ... > bold red print WARNING! ...
    (microsoft.public.win2000.security)