Fwd: debian postfix saslauthd pam sasl2-bin
Roberto C. Sánchez
roberto at connexer.com
Mon Aug 27 18:56:01 UTC 2007
On Mon, Aug 27, 2007 at 11:39:04AM -0700, Russ Allbery wrote:
> Fabian Fagerholm <fabbe at paniq.net> writes:
>
> > The message quoted below was sent to the pkg-cyrus-sasl2-debian-devel
> > mailing list. Unfortunately, I have absolutely no time right now to even
> > think through the validity of the report. If the report is correct, this
> > sounds like a serious security issue, which is why I'm sending this to
> > team at security.d.o. Apologies if it's not.
>
> > I'll be available for short comments or questions but do not expect
> > prompt replies before the end of October.
>
> The user seems to be saying that because saslauthd falls back on the
> default system PAM configuration, users are authenticated without any
> password. The only way I can see that happening is if the user configured
> their default system PAM stack to authenticate users without any password.
> If so, well, don't do that then.
>
> I could be missing something, but the report looked invalid to me.
>
I agree. Without seeing the contents of
common-{account,auth,password,session}, it is impossible to tell what is
going on. Additionally, is anyone aware of the original submitters
motivation for submitting to a full disclosure list without even
beginning a proper discussion of whether a problem exists in the first
place?
Regards,
-Roberto
--
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-cyrus-sasl2-debian-devel/attachments/20070827/10ab307f/attachment.pgp
More information about the Pkg-cyrus-sasl2-debian-devel
mailing list