[OpenAFS] Changes for Mosaic's AFS cell...
Christopher Allen Wing
wingc@engin.umich.edu
Thu, 6 Apr 2006 14:11:57 -0400 (EDT)
On Thu, 6 Apr 2006, Derrick J Brashear wrote:
>> You might argue that these are really 3 different modes of operation and
>> they should belong in 3 different PAM modules. But on some Linux systems
>> at least this is all done by a single PAM module that figures out which of
>> those 3 things to do based on the situation.
>
> What does Linux have to do with it? I had a module which worked on Linux and
> Solaris in 1998 or so... which handled all 3 cases
I was aware of this behavior with some Linux PAM modules, I'm not familiar
with what every other OS and every other other PAM module did, that's all.
> but did not honor env, though I suppose with the relevant checks you
> could avoid the attack I was concerned about... which at this point I no
> longer even remember the details of.
On these particular (Linux) systems, xscreensaver didn't run as root, so
you couldn't attack it by feeding it an incorrect $KRB5CCNAME.
-Chris