diff options
| author | Andrew G. Morgan <morgan@kernel.org> | 2001-02-11 06:33:53 +0000 |
|---|---|---|
| committer | Andrew G. Morgan <morgan@kernel.org> | 2001-02-11 06:33:53 +0000 |
| commit | 4e4d6bb78e3bd6430838d854832c58f104d5f559 (patch) | |
| tree | 9f3223c9b38717da4db165ad13720367c76b6fbf /CHANGELOG | |
| parent | 25188cef4bd88edeb68c1bd3c7b54c38e18ad151 (diff) | |
Relevant BUGIDs: 112540
Purpose of commit: minor security bugfix
Commit summary:
---------------
Fixes for the password helper binaries.
Before, there was no check that the password entered was actually that
of the intended user being authenticated. Instead, the password was
checked for the requesting user. While this disstinction sounds like a
security hole, its actually not been a problem in practice. The helper
binaries have only been used in the case that the application is not
setuid-0 and as such even if an improper authentication succeeded, the
application could not change its uid from that of the requesting user.
Diffstat (limited to 'CHANGELOG')
| -rw-r--r-- | CHANGELOG | 5 |
1 files changed, 5 insertions, 0 deletions
@@ -50,6 +50,11 @@ libpam. Prior versions were buggy - see bugfix for Bug 129775. ** WARNING ** +* fixed a small security hole (more of a user confusion issue) with + the unix and pwdb password helper binaries. The beef is described in + the bug report, but no uid change was possible so no-one should + think they need to issue a security bulletin over this one! (Bug + 112540 - agmorgan) * pam_lastlog needs to be linked with -lutil (Bug 131549 - agmorgan) * pam_cracklib needs to be linked with -lcrypt (old password checking) (Bug 131601 - agmorgan) |