From owner-freebsd-security@FreeBSD.ORG Sun May 20 18:29:49 2007 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E1D0E16A46E for ; Sun, 20 May 2007 18:29:49 +0000 (UTC) (envelope-from dan@obluda.cz) Received: from smtp1.kolej.mff.cuni.cz (smtp1.kolej.mff.cuni.cz [195.113.24.4]) by mx1.freebsd.org (Postfix) with ESMTP id 7772F13C4BD for ; Sun, 20 May 2007 18:29:49 +0000 (UTC) (envelope-from dan@obluda.cz) X-Envelope-From: dan@obluda.cz Received: from kulesh.obluda.cz (openvpn.ms.mff.cuni.cz [195.113.20.87]) by smtp1.kolej.mff.cuni.cz (8.13.8/8.13.8) with ESMTP id l4KITlYe025959 for ; Sun, 20 May 2007 20:29:48 +0200 (CEST) (envelope-from dan@obluda.cz) Message-ID: <4650939B.6020004@obluda.cz> Date: Sun, 20 May 2007 20:29:47 +0200 From: Dan Lukes User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.1.2) Gecko/20070327 SeaMonkey/1.1.1 MIME-Version: 1.0 To: freebsd security References: <20070519130533.722e8b57@vixen42> <86bqgfh4w0.fsf@dwp.des.no> <20070520120142.39e86eae@vixen42> <86tzu7ifp2.fsf@dwp.des.no> <20070520132410.58989605@vixen42> In-Reply-To: <20070520132410.58989605@vixen42> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: PAM exec patch to allow PAM_AUTHTOK to be exported. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 May 2007 18:29:50 -0000 Zane C.B. napsal/wrote, On 05/20/07 19:24: > My current thoughts are along the lines of passing it through stdin > currently. You can select the channel which can be used for information passing ? It seems you have sources of the program you want to call from pam_exec. The better way is to add a few function into sources and convert the standalone binary into regular pam module. In the fact, the program in question: 1. is not PAM aware, so it can't work with PAM data without source code change - patch doesn't help 2. is PAM aware, so it shall to be written as regular PAM module - patch is not required 3. want's to be PAM aware, but it's programmer is too lazy to write it the clean way (as regular pam module) - we need the patch The patch shall be rejected because the only purpose of it is to support lazy programmers creating hacks instead of solutions. I don't want to start a flame. It's my $0.02. Your's mileage may vary. Dan -- Dan Lukes SISAL MFF UK AKA: dan at obluda.cz, dan at freebsd.cz, dan at (kolej.)mff.cuni.cz