[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ITP or RFP pam-redhat or request to merge pam-redhat in pam

>>>>> "Fumitoshi" == Fumitoshi UKAI <ukai@debian.or.jp> writes:

    Fumitoshi> mischief files to attack the code w3mimgdisplay uses. I
    Fumitoshi> want to avoid to use setuid root as much as possible.

Please make sure that you do not introduce bigger security holes in
your attempt to avoid using setuid root than you solve by avoiding
setuid root.

    Fumitoshi> I can package pam-redhat as deb package, but it may be
    Fumitoshi> better to be included in pam or managed with pam
    Fumitoshi> packages.  What is the good way to put pam-redhat in
    Fumitoshi> debian?

I'd start by doing a security audit of the pam_console code.  Does it
work by changing the permissions of the console device or granting
extra groups to the user?

If all you want to package is just pam_console, you probably want to
call the package libpam-console, not pam-redhat even though it does
come from Redhat's PAM distribution.

Note that pam_console is not going to be particularly useful unless
you can convince applications like login to actually use it.

Reply to: