Koozali.org: home of the SME Server
Legacy Forums => Experienced User Forum => Topic started by: Brian Dall on June 20, 2003, 12:35:54 AM
-
Just saw the following out on a news site -- I'm not sure if it affects SME Server or not . . . . can someone with more information confirm if this PAM setting is set correctly by default or if it is anything we SME users need to worry about??
---quote---from url http://www.smh.com.au/articles/2003/06/18/1055828363608.html
A vulnerability has been identified in Linux-PAM, which allows malicious, local users to escalate their privileges.
PAM stands for Pluggable Authentication Modules, a flexible mechanism for authenticating users.
One module, known as pam_wheel, is often used to allow users belonging to a trusted group to gain root status without supplying a password.
The vulnerability can kick in if the configuration file for pam_wheel has the "trust" option enabled and the "use_uid" option disabled.
Any local user can exploit this vulnerability to spoof log entries, or, in a worst case scenario, obtain super-user privileges.
A workaround suggested by iDefense, the company which revealed the flaw, is to enable the use_uid option in the pam_wheel configuration file.
A version of Linux-PAM which fixes the flaw has already been released.
---end quote---
Thanks,
-Brian
-
In a default SME install, the only "local user" is root. Of course, as always, potential security issues should be sent only to smesecurity@mitel.com.
-
Sorry about posting to the forum rather than sending to the e-mail address.
I presume that is for home/free users as well as paid corporate users? Would they send an answer back?
Is there a way for me to remove a post I created if you don't want it out here?
-Brian
-
That address is for everybody, and they seem to respond even if you're not a paid user (at least, I've gotten responses from them when I've sent in issues, and I'm not a paying user). No way to cancel the post, though, that I know of.