misc/140514: PAM can give PAM_SUCCESS when infact it should give
PAM_CRED_INSUFFICIENT
P.A.J.Saunders
pajs at fodder.org.uk
Thu Nov 12 22:00:08 UTC 2009
>Number: 140514
>Category: misc
>Synopsis: PAM can give PAM_SUCCESS when infact it should give PAM_CRED_INSUFFICIENT
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Nov 12 22:00:06 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator: Peter Saunders
>Release: FreeBSD 8.0-RC1 i386
>Organization:
>Environment:
System: FreeBSD 8.0-RC1 FreeBSD 8.0-RC1 #2: Mon Oct 5 17:18:42 BST 2009 i386
System: FreeBSD 6.2-RELEASE-p3 FreeBSD 6.2-RELEASE-p3 #2: Sun Apr 1 14:43:00 BST 2007 i386
>Description:
If an application is not running as root, and the pam stack has pam_unix it, and has the nullok option set
it will always return PAM_SUCCESS for any password given on a valid user name. This is related to 126650
which was filed as not a bug - however, it did not mention that applications could also be given
PAM_SUCCESS for incorrect passwords.
>How-To-Repeat:
Have an application use pam as non root, with nullok set.
>Fix:
Unknown as detailed in 126650.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list