Subject: Re: BSD Authentication
To: Noriyuki Soda <soda@sra.co.jp>
From: None <itojun@iijlab.net>
List: current-users
Date: 09/09/2003 01:17:44
>seebs@plethora.net (Peter Seebach), wrote:
>> the caller's address space; this means that, even apart from an intentional
>> attack, that a bug in a PAM module can do things within an otherwise
>> carefully-audited program. Each new module introduces that risk all over
>The same problem exists in BSD auth, too.
>Because every BSD auth module runs with root privilege, each new <---
>module introduces risks that a compromised module modifies other
>process's state by ptrace(2).
the above statement (arrow) is not true. authentication modules does
not have to be run in root privilege. for instance, login_passwd needs
to run *in the current form of NetBSD* because accesses to /etc/spwd.db
needs root privilege. in fact, OpenBSD login_passwd is not setuid root.
we can reduce the number of setuid root login_xx if we design things
carefully.
itojun
# uname -a
OpenBSD tapioca.itojun.org 3.4 GENERIC#78 macppc
# ls -l /usr/libexec/auth
total 304
-r-xr-sr-x 4 root _token 13792 Sep 6 08:43 login_activ
-r-sr-xr-x 1 root auth 16320 Sep 6 08:43 login_chpass
-r-xr-sr-x 4 root _token 13792 Sep 6 08:43 login_crypto
-r-sr-xr-x 1 root auth 6500 Apr 14 2002 login_krb4
-r-sr-xr-x 1 root auth 7240 Apr 14 2002 login_krb4-or-pwd
-r-sr-xr-x 1 root auth 8820 Sep 6 08:43 login_krb5
-r-sr-xr-x 1 root auth 9556 Sep 6 08:43 login_krb5-or-pwd
-r-sr-xr-x 1 root auth 13504 Sep 6 08:43 login_lchpass
-r-xr-sr-x 1 root _shadow 6564 Sep 6 08:43 login_passwd
-r-xr-sr-x 1 root _radius 12624 Sep 6 08:43 login_radius
-r-xr-xr-x 1 root auth 4812 Sep 6 08:43 login_reject
-r-xr-sr-x 1 root auth 6732 Sep 6 08:43 login_skey
-r-xr-sr-x 4 root _token 13792 Sep 6 08:43 login_snk
-r-xr-sr-x 4 root _token 13792 Sep 6 08:43 login_token
# ls -l /etc/sp*
-rw-r--r-- 1 root wheel 1876 Jun 18 13:10 /etc/spamd.conf
-rw-r----- 1 root _shadow 40960 Jun 19 21:54 /etc/spwd.db