From owner-freebsd-hackers Mon Nov 23 10:52:30 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA01629 for freebsd-hackers-outgoing; Mon, 23 Nov 1998 10:52:30 -0800 (PST) (envelope-from owner-freebsd-hackers@FreeBSD.ORG) Received: from smtp01.primenet.com (smtp01.primenet.com [206.165.6.131]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA01623 for ; Mon, 23 Nov 1998 10:52:27 -0800 (PST) (envelope-from tlambert@usr02.primenet.com) Received: (from daemon@localhost) by smtp01.primenet.com (8.8.8/8.8.8) id LAA05222; Mon, 23 Nov 1998 11:52:14 -0700 (MST) Received: from usr02.primenet.com(206.165.6.202) via SMTP by smtp01.primenet.com, id smtpd005124; Mon Nov 23 11:52:07 1998 Received: (from tlambert@localhost) by usr02.primenet.com (8.8.5/8.8.5) id LAA21705; Mon, 23 Nov 1998 11:52:02 -0700 (MST) From: Terry Lambert Message-Id: <199811231852.LAA21705@usr02.primenet.com> Subject: Re: Would this make FreeBSD more secure? To: jdp@polstra.com (John Polstra) Date: Mon, 23 Nov 1998 18:52:01 +0000 (GMT) Cc: tlambert@primenet.com, hackers@FreeBSD.ORG In-Reply-To: <199811200316.TAA17171@vashon.polstra.com> from "John Polstra" at Nov 19, 98 07:16:13 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > > Someone should now go through the Sun CERT and other security > > advisories; I think at last count there were 40 some-odd that > > involved PAM. > > Per your suggestion back around August, I looked through them. I > didn't find anything relevant to us. The advisories were either > very old or they applied to modules that we don't use. > > Of course, it's entirely possible I missed an important one. So > anyone else is also encouraged to look for reports and see whether > the problems exist in the code I imported. You need to look at Bugtraq as well; go to: http://www.geek-girl.com/bugtraq/search.html And search for "PAM". Kick the "Maximum number of files returned" up to 1000; you'll need it. Also, I think the point of PAM is to let people use modules other than the ones that we use... so that argument is rather pointless. Here is a bug that will be common in network applications like ftpd linked to use PAM: http://geek-girl.com/bugtraq/1998_1/0111.html I don't know if you are using the rhost module, but if so, this may be relevent: http://geek-girl.com/bugtraq/1997_4/0000.html Also, PAM can become vulnerable based on libc implementation, since it is a consumer of libc; here's one example: http://geek-girl.com/bugtraq/1997_2/0228.html Of course, the list os so huge that I can't post it all here... Also, is our qpopper port still vulnerable to: http://geek-girl.com/bugtraq/1998_2/0657.html ??? I know that it violates the POP3 RFC on an APOP auth failure by not waiting for the "QUIT\r\n" after the "-ERR" before putting up "+OK" and shutting down the connection, so it's pretty old... Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message