[Pkg-cups-devel] Bug#385068: add some pam features
Roger Leigh
rleigh at whinlatter.ukfsn.org
Tue Aug 29 23:31:12 UTC 2006
General Stone <generalstone at gmx.net> writes:
> Roger Leigh wrote:
>> I'm fairly sure that the PAM_TTY must be a terminal device. There
>> might be security issues in using a "fake" TTY: that's a relative
>> path, and so a "cups" "TTY" could be created in the CWD and
>> potentially abused (for example, a hard or soft link to a real TTY).
>> If there isn't a TTY, PAM_TTY should probably be left unset.
>
> Yes, I was self confused about the function of these variable, but the
> pam-modules (look at the sources) want be check if it was a TTY device
> or not. The SSH server set the PAM_TTY variable to "ssh" and xdm set
> the variable to ":0" or ":1", etc. The pam_access module themself
> support these fake variables (see libpam-doc).
>
> So I think there shouldn't be a problem if cupsd set the variable to
> "cups" or "cupsys" or whatever.
OK, thanks for clarifying that. Looking at openssh, that was
surrounded by
#ifdef PAM_TTY_KLUDGE
...
#endif
so it looks like it's essentially a workaround for buggy PAM modules.
If it's considered acceptable for openssh, it should be fine for CUPS.
Thanks,
Roger
--
.''`. Roger Leigh
: :' : Debian GNU/Linux http://people.debian.org/~rleigh/
`. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/
`- GPG Public Key: 0x25BFB848 Please GPG sign your mail.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-cups-devel/attachments/20060830/252ff990/attachment.pgp
More information about the Pkg-cups-devel
mailing list