MacMusic  |  PcMusic  |  440 Software  |  440 Forums  |  440TV  |  Zicos
pam
Recherche

oath-toolkit: privilege escalation in pam_oath.so (SUSE Security Team Blog)

vendredi 4 octobre 2024, 17:28 , par LWN.net
The SUSE Security Team Blog has a detailed
report on its discovery of a privilege escalation in the
oath-toolkit,
which provides libraries and utilities for managing one-time password
(OTP) authentication.

Fellow SUSE engineer Fabian Vogt approached our Security Team about
the project's PAM module. A couple of years ago, the module gained a
feature which allows to place the OTP state file (called usersfile) in
the home directory of the to-be-authenticated user. Fabian noticed
that the PAM module performs unsafe file operations in users' home
directories. Since PAM stacks typically run as root, this can easily
cause security issues.
https://lwn.net/Articles/992948/

Voir aussi

News copyright owned by their original publishers | Copyright © 2004 - 2024 Zicos / 440Network
Date Actuelle
mer. 18 déc. - 10:46 CET