Roland Mainz wrote: [snip] > > I think the best way forward here is to get a prototype up and running > > and do a detailed security audit to make sure that admins writting shell > > script pam modules can't trivially destroy security. > > How is the audit done ?
I just did a quick look at http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/pam_modules/allow/allow.c ... it may be possible to hack a prototype within a day (assuming I restrict it to pass the arguments from |pam_sm_*()| into a compound variable and implement only a "pam_putenv" builtin (and maybe a "pam_getenv")) plus the usual two day compile time... ---- Bye, Roland -- __ . . __ (o.\ \/ /.o) roland.mainz at nrubsig.org \__\/\/__/ MPEG specialist, C&&JAVA&&Sun&&Unix programmer /O /==\ O\ TEL +49 641 7950090 (;O/ \/ \O;)
