Date: Sun, 20 May 2007 13:24:10 -0400 From: "Zane C.B." <v.velox@vvelox.net> To: Dag-Erling =?ISO-8859-1?Q?Sm=F8rgrav?= <des@des.no> Cc: FreeBSD Security <freebsd-security@freebsd.org> Subject: Re: PAM exec patch to allow PAM_AUTHTOK to be exported. Message-ID: <20070520132410.58989605@vixen42> In-Reply-To: <86tzu7ifp2.fsf@dwp.des.no> References: <20070519130533.722e8b57@vixen42> <86bqgfh4w0.fsf@dwp.des.no> <20070520120142.39e86eae@vixen42> <86tzu7ifp2.fsf@dwp.des.no>
index | next in thread | previous in thread | raw e-mail
On Sun, 20 May 2007 19:10:33 +0200 Dag-Erling Smørgrav <des@des.no> wrote: > "Zane C.B." <v.velox@vvelox.net> writes: > > Dag-Erling Smørgrav <des@des.no> writes: > >> Your patch opens a gaping security hole. Sensitive information > >> should never be placed in the environment. > > Unless I am missing something, this is only dangerous if one is > > doing something stupid with what ever is being executed by > > pam_exec. > > Environment variables may be visible to other processes and users > through e.g. /proc. Cool. Forgot about /proc. Is definitely a issue. Hmmm, any ideas in the area of passing it then? My current thoughts are along the lines of passing it through stdin currently.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070520132410.58989605>