The Linux-PAM Hall of Fame

Wayback MachineAbout this captureCOLLECTED BY Organization: Alexa Crawls Starting in 1996, Alexa Internet has been donating their crawl data to the Internet Archive. Flowing in every day, these data are added to the Wayback Machine after an embargo period. Collection: Alexa Crawl AUG Crawl AUG from Alexa Internet. This data is currently not publicly accessible. TIMESTAMPSloading

The Challenge

This is a page devoted to the adoration of people who have broken PAM. Wouldyou like to have your name on this page? You have the source, feel free totry! Mail your exploit/patches tome orthe Linux-PAM mailing list.

People that deserve your respect

The folowing people have found weaknesses in the Linux-PAM distribution. Thanks to their efforts Linux-PAM is a more secure package. Where available,we have indicated the fix that resulted from their investigations.

Holes in libpam

Werner Almesberger pointed out that advisory locking can lead to anpretty effective denail of service attack. Advisory locking was removedfrom Linux-PAM-0.52.

Holes in modules

Subtle security hole in pam_rhosts module found by Jacob Langford(Tue, 30 Sep 1997 11:03:05 -0500) and fix posted by AndreyV. Savochkin (Wed, 1 Oct 1997 11:49:04 +0300). The problem wasconcerned with successive calls to gethostbyname() and a failure tocache the results of previous calls.

Olaf Kirch took the time to scour the source for Linux-PAM 0.58.He uncovered a few subtle problems with a number of modules. All ofthese problems (besides one relating to IPv6) were fixed in the 0.63release. [This was the next release (three days) after Olaf’sposting.]

Michal Zalewski identified a permission manipulation problem withthe pam_unix module (Dec 23, 1998 at 01:12:45PM +0100). AndreyV. Savochkin provided a patch (Thu, 24 Dec 1998 18:02:03 +0300) forthis and a similar problem in pam_tally.

This page was last changed: 1998/12/24

Mail: AndrewMorgan (My PGP key is here)

Leave a Reply

Your email address will not be published. Required fields are marked *