Date: Wed, 15 Mar 2000 17:31:29 -0800 From: Chris Piazza <cpiazza@jaxon.net> To: FreeBSD Ports <ports@FreeBSD.org> Cc: jedgar@FreeBSD.org, kris@FreeBSD.org Subject: [SECURITY] Serious problems with the wdm port Message-ID: <20000315173129.A5272@norn.ca.eu.org>
next in thread | raw e-mail | index | archive | help
(kris CC:'d because this is a security problem, jedgar CC:'d because it's
doing weird things and he committed it.)
Hi,
The wdm port was recently upgraded to 1.20. Okay, that's fine. Except
if you enable pam using USE_PAM it does some pretty weird things.
1. It installs and grabs its PAM information from /etc/pam.d/wdm. Uh..
what is that?
2. This is the security problem. By default it uses this for PAM modules:
#%PAM-1.0
auth sufficient /usr/lib/pam_permit.so
account sufficient /usr/lib/pam_permit.so
session sufficient /usr/lib/pam_permit.so
Uh... so it allows any password given to work.
The only reason I found this was because the modules I'd listed in
/etc/pam.conf (the RIGHT place) weren't even being used.
-Chris
--
cpiazza@jaxon.net cpiazza@FreeBSD.org
Abbotsford, BC, Canada
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000315173129.A5272>