Subject: Re: Using __progname for PAM service names in pam_start()
To: Christos Zoulas <>
From: Jason Thorpe <>
List: tech-userlevel
Date: 06/13/2007 17:52:54
On Jun 13, 2007, at 10:01 AM, Christos Zoulas wrote:

> In article <>,
> Joerg Sonnenberger  <> wrote:
>> On Wed, Jun 13, 2007 at 07:19:28AM +0000, Emmanuel Dreyfus wrote:
>>> Anyone sees an objection to the system-wide replacement of the  
>>> pam_start
>>> first argument (PAM service name) by __progname? I see only  
>>> benefits here...
>> How does this interact with calling e.g. su with
>> 	execlp("/usr/bin/su", "ftpd");
>> I think this creates a security issue.
> Probably does...

I agree.  I think it's safest for the app to hard-code the service  
name into the call to avoid impersonation problems like this.  And we  
should fix sshd to do so.

-- thorpej