On Mon, May 08, 2000 at 03:28:23PM +0700, Umum Wijoyo wrote: > Hello again... > > I've noticed that Debian frozen/potato has already used the PAM security > scheme...
it uses PAM as its authentication system, all the main authenticating utilities, /bin/login /bin/su et al use PAM to authenticate the user. > I also heard somewhere that PAM has a security hole? Using a so-called > slam.sh script, some Red Hat distros have become vulnerable... > Is this also a problem with the Debian distro? > Should I, or should I not remove PAM? you cannot remove pam, not without breaking/removing /bin/login /bin/su and everything else ;-) not what you want. as to the security bug it was not in pam itself but rather in one specific modules, pam_console, the bug was really in a suid binary that is a helper for pam_console, here it the basic details: /usr/bin/consolehelper is a suid program, it accepts the argument of a path to another utility say /bin/shutdown. I don't remember the exact details of how it does its checks, but what you could do was this: compile a pam `module' with the following source: [...] system("/bin/sh"); then create a pam configuration file in /tmp calling that fake module. you then ran /usr/bin/consolehelper ../../../../../../../pamslam.conf it would read the fake config file in /tmp and load the fake pam module we created, executing /bin/sh -- as root -- blamo r00t shell! console-helper allows the admin to define arbitary binaries that can be run as root based on custom authentication conf files in /etc/pam.d the problem is these config files are specified as an argument to the suid /usr/bin/consolehelper and it allowed you to specify bogus things like ../../../../../../etc/pam.d/r00tshell. AFAIK there is no other standard program that allows this kind of manipulation. (/bin/login and /bin/su hard code there pam service name so you cannot ask it to `be something else') now the good news: Debian does not use nor include this evil module in potato ;-) we are NOT vulnerable to that bug as we don't even have the rootsh^H^H^H^H^H^Hconsolehelper > (Some security scheme... if it only turns out that it itself is a weak > spot) that can happen, but in this case `pam' is not a monolithic system, its merely a set of modules and libraries, you can write creative programs that use pam in creative ways but if you get too creative like pam_console you get problems. things like /bin/login and /bin/su use pam in much more sane ways then console-helper does. [note: i am not certain this is the vulnerablity you are referring to as your were not very specific, but the console-helper exploit was called `pamslam'] > Thanks! > > Urip Hudiono > ------------------ > Bandung, Indonesia > > PS: Thanks for all ur suggestions on my previous questions. Will try them > out! > > > -- > Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] < /dev/null > -- Ethan Benson http://www.alaska.net/~erbenson/
pgpbsE5cj8YAY.pgp
Description: PGP signature