On 11/18/08 09:56, Mayuresh Nirhali wrote: > Dante does not maintain a separate database for the username/password > pairs. > It relies on the native database (/etc/passwd/ldap).
Surprising. I'm not sure if that's architecturally sound, but I guess this is just the way it is when we integrate 3rd party products. > Yes, thats exactly why I ask. > The implementation is such that it switches to effective euid of > user.privileged as configured (per the proposed solution for the > vanilla configuration as 'root') just before attempting a task that > needs privileges and switches back to notprivileged uid immediately > after the task/operation is over. I am not very sure how vulnerable the > setup would be to attacks, if euid is root during the privileged > operation?? That depends on the architecture of Dante, I think. A quick look at the code seems to indicate that it is single threaded, so it doesn't perform other operations while being switched to user.privileged; I guess the attack window from that perspective is low. A larger problem, however, is that the server constantly runs with it's saved uid set to user.privileged (root). Any successful attack on the code can just as easily do a seteuid(user.privileged) as the PAM code can. This sounds non-desirable. If this were a review of an in-house developed piece of software, I'd strongly suggest to find alternatives (either run with just the privileges needed to validate passwords, or run with a different database, or delegate authenticating users to a sub-task that doesn't deal with forwarding packets like the main daemon does). I don't know how far we'd go for imported products; I guess it depends on what we want to build on top of this. Note, however, that I'm not a PSARC member, just an interested lurker. As a Solaris PAM maintainer, I do think that the way Dante uses PAM is broken, suboptimal at best, but we can take that off-line. Joep
