General Stone <generalstone@gmx.net> writes: > Roger Leigh wrote: >> I'm fairly sure that the PAM_TTY must be a terminal device. There >> might be security issues in using a "fake" TTY: that's a relative >> path, and so a "cups" "TTY" could be created in the CWD and >> potentially abused (for example, a hard or soft link to a real TTY). >> If there isn't a TTY, PAM_TTY should probably be left unset. > > Yes, I was self confused about the function of these variable, but the > pam-modules (look at the sources) want be check if it was a TTY device > or not. The SSH server set the PAM_TTY variable to "ssh" and xdm set > the variable to ":0" or ":1", etc. The pam_access module themself > support these fake variables (see libpam-doc). > > So I think there shouldn't be a problem if cupsd set the variable to > "cups" or "cupsys" or whatever. OK, thanks for clarifying that. Looking at openssh, that was surrounded by #ifdef PAM_TTY_KLUDGE ... #endif so it looks like it's essentially a workaround for buggy PAM modules. If it's considered acceptable for openssh, it should be fine for CUPS. Thanks, Roger -- .''`. Roger Leigh : :' : Debian GNU/Linux http://people.debian.org/~rleigh/ `. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/ `- GPG Public Key: 0x25BFB848 Please GPG sign your mail.
Attachment:
pgp1ED8xCyUJN.pgp
Description: PGP signature