Date: Sun, 20 May 2007 13:24:10 -0400 From: "Zane C.B." <v.velox@vvelox.net> To: Dag-Erling =?ISO-8859-1?Q?Sm=F8rgrav?= <des@des.no> Cc: FreeBSD Security <freebsd-security@freebsd.org> Subject: Re: PAM exec patch to allow PAM_AUTHTOK to be exported. Message-ID: <20070520132410.58989605@vixen42> In-Reply-To: <86tzu7ifp2.fsf@dwp.des.no> References: <20070519130533.722e8b57@vixen42> <86bqgfh4w0.fsf@dwp.des.no> <20070520120142.39e86eae@vixen42> <86tzu7ifp2.fsf@dwp.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 20 May 2007 19:10:33 +0200 Dag-Erling Smørgrav <des@des.no> wrote: > "Zane C.B." <v.velox@vvelox.net> writes: > > Dag-Erling Smørgrav <des@des.no> writes: > >> Your patch opens a gaping security hole. Sensitive information > >> should never be placed in the environment. > > Unless I am missing something, this is only dangerous if one is > > doing something stupid with what ever is being executed by > > pam_exec. > > Environment variables may be visible to other processes and users > through e.g. /proc. Cool. Forgot about /proc. Is definitely a issue. Hmmm, any ideas in the area of passing it then? My current thoughts are along the lines of passing it through stdin currently.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070520132410.58989605>