newbie vserver/auth question.

pinotj at club-internet.fr pinotj at club-internet.fr
Tue Mar 29 07:58:55 PST 2005


>I understand that, only some daemons aren't that easy to set up in jails
>like apache, samba and pop/imap daemons. (logical, they need to access
>users home dirs)
>The most troubling is samba wich runs as root.

Apache runs as "nobody" but it actually needs root privilege for the children process to access port < 1024.
It leads to problem, as for example, with the awstats flaw. Some computers were hacked by this way lately.

>But how about the auth system, does pam add an extra security level or
>will it only add an extra "burden" for the admin?

Patrick Volkerding, maintainer of the Slackware linux distro, has his own idea:

"Please indulge me for this brief aside (as requests for PAM are on the rise):
If you see a security problem reported which depends on PAM, you can be
glad you run Slackware. I think a better name for PAM might be SCAM, for
Swiss Cheese Authentication Modules, and have never felt that the small
amount of convenience it provides is worth the great loss of system
security. We miss out on half a dozen security problems a year by not
using PAM, but you can always install it yourself if you feel that
you're missing out on the fun. (No, don't do that)
OK, I'm done ranting here. :-)"

I agree with this. As PAM is not required to improve security level, I believe too that it should not be used. Less code, less flaws.

regards,

-- 
Jerome Pinot
http://ngc891.blogdns.net/projects/hlfs 





More information about the hlfs-dev mailing list