Date: Thu, 12 Nov 2009 21:50:22 +0000 From: "P.A.J.Saunders" <pajs@fodder.org.uk> To: FreeBSD-gnats-submit@FreeBSD.org Subject: misc/140514: PAM can give PAM_SUCCESS when infact it should give PAM_CRED_INSUFFICIENT Message-ID: <E1N8hYc-0000jM-Gi@carrick.bishnet.net> Resent-Message-ID: <200911122200.nACM07u3079254@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 140514 >Category: misc >Synopsis: PAM can give PAM_SUCCESS when infact it should give PAM_CRED_INSUFFICIENT >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Nov 12 22:00:06 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Peter Saunders >Release: FreeBSD 8.0-RC1 i386 >Organization: >Environment: System: FreeBSD 8.0-RC1 FreeBSD 8.0-RC1 #2: Mon Oct 5 17:18:42 BST 2009 i386 System: FreeBSD 6.2-RELEASE-p3 FreeBSD 6.2-RELEASE-p3 #2: Sun Apr 1 14:43:00 BST 2007 i386 >Description: If an application is not running as root, and the pam stack has pam_unix it, and has the nullok option set it will always return PAM_SUCCESS for any password given on a valid user name. This is related to 126650 which was filed as not a bug - however, it did not mention that applications could also be given PAM_SUCCESS for incorrect passwords. >How-To-Repeat: Have an application use pam as non root, with nullok set. >Fix: Unknown as detailed in 126650. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E1N8hYc-0000jM-Gi>