Mailinglist Archive: opensuse-security (601 mails)

< Previous Next >
Re: AW: [suse-security] SuSE security reputation, etc..
  • From: "Kurt Seifried" <listuser@xxxxxxxxxxxx>
  • Date: Mon, 7 Aug 2000 14:04:31 -0600
  • Message-id: <003d01c000aa$b38ee2a0$6900030a@xxxxxxxxxxxx>
> Hmmm. I agree that these two points are desirable to implement, but it is
> also too complex to do. One of the side effects will be that people
> complain that authentication doesn't work (because the wrong file is
> active) and people comlain that SuSE doesn't keep to the standards.

Not neccesarilly, make it optional.

> We can't afford these two points in the long run. Also, modifying the
> daemons/packages takes time and manpower...

Can't it be done through PAM? I mean this is EXACTLY what PAM is meant for.

#%PAM-1.0
auth required /lib/security/pam_listfile.so item=user sense=deny
file=
/etc/ftpusers onerr=succeed
auth required /lib/security/pam_pwdb.so shadow nullok
auth required /lib/security/pam_shells.so
account required /lib/security/pam_pwdb.so
session required /lib/security/pam_pwdb.so

Maybe make a "stub" pam_pwdb called "pam_pwdb_ftp" that looks for
/etc/passwd-ftp and /etc/shadow-ftp, or a pam_pwdb that takes an argument
for the filename (like pam_listfile). Voila. No mods to daemons needed,
power users happy, normal users blissfully unaware (unless they look into
pam config files and actually make changes).

> It's nice project, though. Would you want to hack and maintain a set
> of patches that resolve these problems in a few packages?

PAM! use the PAM!. =)

-Kurt


< Previous Next >
Follow Ups
References