tags 376209 confirmed
thanks

I can confirm this behavior in Linux-PAM 0.99.7.1-2.  The from_match()
function falls through to evaluating tokens as network/netmask if the token
doesn't match the remote host / tty of the applicant in some other way.

A possible partial fix is to keep track of whether the applicant has an
associated rhost or tty and have from_match() use only checks of the
appropriate type; but that would not prevent these strings from being tested
as network addresses in the event that PAM_RHOST is indeed set.

In fact, given that "/" is valid in both tty names and in network/netmask
pairs, a complete fix will take quite a bit more study.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
[EMAIL PROTECTED]                                   http://www.debian.org/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to