From owner-freebsd-hackers Mon Nov 23 16:25:43 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA09793 for freebsd-hackers-outgoing; Mon, 23 Nov 1998 16:25:43 -0800 (PST) (envelope-from owner-freebsd-hackers@FreeBSD.ORG) Received: from wall.polstra.com (rtrwan160.accessone.com [206.213.115.74]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA09785 for ; Mon, 23 Nov 1998 16:25:40 -0800 (PST) (envelope-from jdp@polstra.com) Received: from vashon.polstra.com (vashon.polstra.com [206.213.73.13]) by wall.polstra.com (8.9.1/8.9.1) with ESMTP id QAA20612; Mon, 23 Nov 1998 16:25:38 -0800 (PST) (envelope-from jdp@polstra.com) Received: (from jdp@localhost) by vashon.polstra.com (8.9.1/8.9.1) id QAA01171; Mon, 23 Nov 1998 16:25:37 -0800 (PST) (envelope-from jdp@polstra.com) Message-ID: X-Mailer: XFMail 1.3 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <199811231852.LAA21705@usr02.primenet.com> Date: Mon, 23 Nov 1998 16:25:37 -0800 (PST) Organization: Polstra & Co., Inc. From: John Polstra To: Terry Lambert Subject: Re: Would this make FreeBSD more secure? Cc: hackers@FreeBSD.ORG Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > You need to look at Bugtraq as well I did already. > Also, I think the point of PAM is to let people use modules other > than the ones that we use... so that argument is rather pointless. What argument? I have no intention of taking responsibility for bugs in modules that other people wrote. If you want to use them, it's up to you to convince yourself that they're OK. > Here is a bug that will be common in network applications like ftpd > linked to use PAM: > > http://geek-girl.com/bugtraq/1998_1/0111.html This is a bug in the Solaris ftpd, and has nothing to do with PAM. > I don't know if you are using the rhost module, but if so, this may > be relevent: I didn't use any of the Linux modules. > Also, PAM can become vulnerable based on libc implementation, since > it is a consumer of libc; here's one example: > > http://geek-girl.com/bugtraq/1997_2/0228.html This is about a Linux libc bug, combined with a stupid blunder by a Linux system "administrator". Anyway, everything that is linked with libc is vulnerable to bugs in it. PAM is not special in that sense. > Also, is our qpopper port still vulnerable to: > > http://geek-girl.com/bugtraq/1998_2/0657.html > > ??? I have no idea. What is the relevance to PAM? --- John Polstra jdp@polstra.com John D. Polstra & Co., Inc. Seattle, Washington USA "Nobody ever went broke underestimating the taste of the American public." -- H. L. Mencken To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message