[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Otpasswd-talk] Getting stable + config layout
|
From: |
Tomasz bla Fortuna |
|
Subject: |
Re: [Otpasswd-talk] Getting stable + config layout |
|
Date: |
Sat, 16 Jan 2010 21:08:21 +0100 |
(I have to organise myself somehow with this groups so I won't be
omitting group CC each time I reply... ;d)
Dnia Sat, 16 Jan 2010 14:26:12 -0500
Luke Faraone <address@hidden> napisaĆ(a):
> On Fri, Jan 15, 2010 at 04:59, Tomasz bla Fortuna <address@hidden>
> wrote:
(... agreed! ...)
>
> If the utility is SUID root, and it drops privlages to the otpasswd
> user, can't the otpasswd user modify the configuration file to change
> the "USER=" keyword to whoever?
>
> Example:
> App is started, it reads config file, drops to otpasswd, encounters
> malicious input or some other vulnerability, and arbitrary code is
> executed as the otpasswd user. The utility otpasswd user changes
> "USER" to "root" or "apache2" or some other user, and then the app is
> restarted by the attacker. The attacker exploits the same
> vulnerability and can now execute arbitrary code as the apache2 user.
Config file is owned by root, but directory consisting it - by otpasswd
user.
Therefore otpasswd might remove file (not edit!) and recreate
maliciously. Still otpasswd will die then as owner of file changes:
Configuration file should be owned by root.
OTPasswd not correctly installed.
Consult installation manual for detailed information.
Tell me if I missed something or if you prefer to (e.g.) move config
directly into /etc removing problem of ownership.
>
> # MySQL configuration (NI!)
> >
>
> I assume *NI* means "not implemented". Are you planning to include
> "not implemented" options in the 0.5 release?
Lot's of NI options already got implemented, but MySQL and LDAP I guess
won't by 0.5. This options can be safely removed from config and
otpasswd won't bother. There's only one reason I know for leaving this
options there:
Config update after they are implemented will be much simpler.
I don't think they must be left in packages really. I'd leave them
inside source tree as they work kind like a 'TODO'.
I think I'd personally remove MySQL/LDAP entries as they are huge and
leave other 'NI' parameters.
>
> # (Utility works on level 1, can be switched into 2 by -v option)
> > [...]
> >
> # 3 - Verbose: Errors, Warnings, Notices (-v option to utility)
> >
>
> Maybe I'm reading this wrong, but don't these seem to contradict each
> other? (level 3 vs level 2)
True, fixed. -v switches utility currently to level 3.
>
> # Verbose mode is enabled by "debug" module option.
> >
>
> What's the difference between enabling it on the module or on the
> utility?
It's implemented for module mostly for compatibility with PAM idea
about module parameters. Still this has sense for SILENT option,
setting it in config enables this for session and auth stacks while
it's perfectly reasonable to set silent for auth stack and leave
session working.
Module parameter has priority.
>
> ##
> > # 0 - OOB disabled
> > # 1 - OOB available on user request (by entering '.' on passcode
> > prompt) # 2 - OOB on request, requires static password prompt
> > # 3 - Sent OOB at the beginning of all authentication sessions.
> > ##
> > PAM_OOB=0
> >
>
> Please make a note that OOB means "out of band" somewhere before
> using the abbr :)
Haha, true.
>
> # Utility Policy Configuration
> > #
> > # As oppossed to "System Policy" this works only if user doesn't
> > # have direct access to state database himself.
> >
>
> I'm confused: does this mean when using the .otpasswd file/folder in
> ~ or not?
> If it does, then why is there a global policy? Can the user override
> it?
Yes. Only in DB=global OR in mysql/ldap (if user doesn't have
mysql/ldap access). Still user might not have access to his ~
and not be able to read .otpasswd, while DB=user (otpasswd used
for some www auth for example).
# As oppossed to "System Policy" this works only if user doesn't
# have direct access to state database himself, that is:
# either DB is set to global or user doesn't have access to his
# home.
(omitting NI mysql/ldap setting)
Hm. There are options which can be enforced by PAM even if user played
with his state configuration, that's why it's splitted
otpasswd utility tries to stay conformant to policy even if user
himself could avoid it. In some cases only can PAM detect it and
enforce itselves.
Thanks for review and cheers, ;)
--
Tomasz bla Fortuna
jid: bla(at)af.gliwice.pl
pgp: 0x90746E79 @ pgp.mit.edu
www: http://bla.thera.be
signature.asc
Description: PGP signature