From owner-cvs-src  Sat Feb 15 15:56: 0 2003
Delivered-To: cvs-src@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id E3FFC37B401; Sat, 15 Feb 2003 15:55:58 -0800 (PST)
Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id B6CCB43F3F; Sat, 15 Feb 2003 15:55:57 -0800 (PST)
	(envelope-from ache@pobrecita.freebsd.ru)
Received: from pobrecita.freebsd.ru (ache@localhost [127.0.0.1])
	by nagual.pp.ru (8.12.7/8.12.7) with ESMTP id h1FNtuEJ072673;
	Sun, 16 Feb 2003 02:55:56 +0300 (MSK)
	(envelope-from ache@pobrecita.freebsd.ru)
Received: (from ache@localhost)
	by pobrecita.freebsd.ru (8.12.7/8.12.6/Submit) id h1FNtu6T072672;
	Sun, 16 Feb 2003 02:55:56 +0300 (MSK)
	(envelope-from ache)
Date: Sun, 16 Feb 2003 02:55:56 +0300
From: "Andrey A. Chernov" <ache@nagual.pp.ru>
To: Dag-Erling Smorgrav <des@ofug.org>
Cc: src-committers@FreeBSD.org, cvs-src@FreeBSD.org,
	cvs-all@FreeBSD.org
Subject: Re: cvs commit: src/lib/libpam/modules/pam_opieaccess pam_opieaccess.c
Message-ID: <20030215235556.GI72156@nagual.pp.ru>
References: <200302152326.h1FNQnAr027546@repoman.freebsd.org> <20030215233943.GC72156@nagual.pp.ru> <xzpof5dm7jg.fsf@flood.ping.uio.no>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <xzpof5dm7jg.fsf@flood.ping.uio.no>
User-Agent: Mutt/1.5.1i
Sender: owner-cvs-src@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-src.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-src>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-src>
X-Loop: FreeBSD.ORG

On Sun, Feb 16, 2003 at 00:46:27 +0100, Dag-Erling Smorgrav wrote:
> "Andrey A. Chernov" <ache@nagual.pp.ru> writes:
> > There is no needs to explicately allow localhost in /etc/opieaccess. It is
> > already works by default, as designed, see OPIE code.
> 
> It does not work by default; pam_opieaccess previously had special-
> case code to handle this (by explicitly allowing non-OPIE logins when
> PAM_RHOST was NULL).  This behaviour was very surprising to people who
> wanted to prevent OPIE users from using their passwords even locally,
> as they had no way of knowing that login(1) happened to set PAM_RHOST
> to NULL for local logins.

It means that pam_opieaccess() tries to handle localhost before 
accessfile.c instead of correctly passing "" there for localhost case.

> > /etc/opieaccess changes breaks POLA.
> 
> How?  They preserve historical behaviour while allowing admins to
> implement a stricter policy, should they wish to do so.

In non-PAMified OPIE environment there was no needs to directly specify 
localhost in /etc/opieaccess. Old configurations becomes broken after your 
change because miss "new" addition.

-- 
Andrey A. Chernov
http://ache.pp.ru/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-src" in the body of the message