On Thu, 10 Mar 2005 16:06:38 +0100 Jeroen van Wolffelaar <[EMAIL PROTECTED]> wrote:
> Hm, introducing such a helper program can introduce a security hole if > not done carefully, also, with pam it's afaik usually expected that > the calling program makes sure it's root, rather than the pam module > for obvious security reasons. But I think that it is a much greater risk to let programs like xscreensaver or xlock run as setuid root than to let a small binary run as setuid root. By the way, pam_unix also uses an external binary and xscreensaver and xlock have permissions 755 by default, not 4755. > It's up to the maintainer, but I'm not sure it's a good idea to add > this external binary thing just before sarge is about to be released, > and I suggest to ask for advice on this (on > debian-devel@lists.debian.org for example) if you plan to do so with > the intention to get the change in sarge. Of course it is a good idea to let other people look at my suggestion, because I am not absolutely sure that it does introduce a security hole. But I am quite sure. Christoph -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
