PAM exec patch to allow PAM_AUTHTOK to be exported.
Zane C.B.
v.velox at vvelox.net
Sun May 20 17:21:43 UTC 2007
On Sun, 20 May 2007 19:10:33 +0200
Dag-Erling Smørgrav <des at des.no> wrote:
> "Zane C.B." <v.velox at vvelox.net> writes:
> > Dag-Erling Smørgrav <des at des.no> writes:
> >> Your patch opens a gaping security hole. Sensitive information
> >> should never be placed in the environment.
> > Unless I am missing something, this is only dangerous if one is
> > doing something stupid with what ever is being executed by
> > pam_exec.
>
> Environment variables may be visible to other processes and users
> through e.g. /proc.
Cool. Forgot about /proc. Is definitely a issue. Hmmm, any ideas in
the area of passing it then?
My current thoughts are along the lines of passing it through stdin
currently.
More information about the freebsd-security
mailing list