PAM kbd-int with privsep

Nalin Dahyabhai nalin at redhat.com
Thu Jun 27 02:02:12 EST 2002


On Wed, Jun 26, 2002 at 02:03:40PM +1000, Damien Miller wrote:
> On Wed, 2002-06-26 at 02:39, Nalin Dahyabhai wrote:
> > It might be fixable by modifying it to have the parent do the PAM work,
> > but it'd require an approach similar the existing kbdint code, and I
> > don't know how it would work in the context of a monitoring setup.
> 
> It is conceivable that we could hook into the shared memory malloc
> routines to make the PAM context available to parent and child.
> Unfortunately doing so may expose us to issues where the child attempts
> privilege escalation by deliberately corrupting its PAM context.

Unless you can affect how modules allocate memory, they may (and often
do) allocate memory for their own use and store it in the PAM context
as a PAM data item.  Storing the data just keeps a pointer to the data
in the PAM context, so you can't determine how big it is, either.

> > It might also be resolved (at least for Linux-PAM 0.65 and later and
> > derivatives, I haven't a clue about other implementations) by using
> > the PAM_CONV_AGAIN/PAM_INCOMPLETE framework and letting the privileged
> > process drive the conversation, but the framework is not well supported
> > by most of the modules I've spot-checked.  (That's fixable, though.)
> 
> Am I correct in believing that this framework isn't in the original PAM
> RFC? If so, that doesn't help us for Solaris, HP/UX and other non-Linux
> PAM-supported platforms.

My reading of the RFC also indicates this, but it's an old document and
given that Linux-PAM implements a superset of what the RFC defines, it's
possible (though unlikely) that other implementations may also implement
this framework.

Nalin



More information about the openssh-unix-dev mailing list