Fwd: debian postfix saslauthd pam sasl2-bin

Russ Allbery rra at debian.org
Mon Aug 27 18:39:04 UTC 2007


Fabian Fagerholm <fabbe at paniq.net> writes:

> The message quoted below was sent to the pkg-cyrus-sasl2-debian-devel
> mailing list. Unfortunately, I have absolutely no time right now to even
> think through the validity of the report. If the report is correct, this
> sounds like a serious security issue, which is why I'm sending this to
> team at security.d.o. Apologies if it's not.

> I'll be available for short comments or questions but do not expect
> prompt replies before the end of October.

The user seems to be saying that because saslauthd falls back on the
default system PAM configuration, users are authenticated without any
password.  The only way I can see that happening is if the user configured
their default system PAM stack to authenticate users without any password.
If so, well, don't do that then.

I could be missing something, but the report looked invalid to me.

-- 
Russ Allbery (rra at debian.org)               <http://www.eyrie.org/~eagle/>



More information about the Pkg-cyrus-sasl2-debian-devel mailing list