Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 12 Nov 2009 21:50:22 +0000
From:      "P.A.J.Saunders" <pajs@fodder.org.uk>
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   misc/140514: PAM can give PAM_SUCCESS when infact it should give PAM_CRED_INSUFFICIENT
Message-ID:  <E1N8hYc-0000jM-Gi@carrick.bishnet.net>
Resent-Message-ID: <200911122200.nACM07u3079254@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help

>Number:         140514
>Category:       misc
>Synopsis:       PAM can give PAM_SUCCESS when infact it should give PAM_CRED_INSUFFICIENT
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Nov 12 22:00:06 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     Peter Saunders
>Release:        FreeBSD 8.0-RC1 i386
>Organization:
>Environment:
System: FreeBSD 8.0-RC1 FreeBSD 8.0-RC1 #2: Mon Oct 5 17:18:42 BST 2009 i386
System: FreeBSD 6.2-RELEASE-p3 FreeBSD 6.2-RELEASE-p3 #2: Sun Apr 1 14:43:00 BST 2007  i386

>Description:
If an application is not running as root, and the pam stack has pam_unix it, and has the nullok option set
it will always return PAM_SUCCESS for any password given on a valid user name. This is related to 126650
which was filed as not a bug - however, it did not mention that applications could also be given 
PAM_SUCCESS for incorrect passwords.

>How-To-Repeat:
Have an application use pam as non root, with nullok set.

>Fix:
Unknown as detailed in 126650.
>Release-Note:
>Audit-Trail:
>Unformatted:



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E1N8hYc-0000jM-Gi>