[arch-general] pam settings INSECURE

Ng Oon-Ee ngoonee at gmail.com
Wed Nov 18 02:43:06 EST 2009


On Wed, 2009-11-18 at 02:24 -0500, Caleb Cushing wrote:
> > Oh no.  It has been 1 day and my "bug" is not fixed! I must blog about it so
> > the world listens to me...
> 
> also no one has presented a /good/ reason for not fixing it, only
> reasons they don't think it should be fixed. you could do abc or d
> things that I can think of... but no one has said why security
> shouldn't be tighter for kde. what's the negative impact? why aren't
> failed logins being logged right now? why can users login if they have
> an account but no valid shell? seriously? what's the reason that this
> should not be fixed? that there MAY be acceptable alternatives? I
> dont' find the GUI option acceptable, because it's too kde specific,
> and (probably) doesn't affect a thing if I change login managers. only
> one of the options you suggest actually do what I need to do... but
> for some reason it didn't take immediate effect when I tried it.
<snip>

Minimal modification of packages. Allow users to choose for themselves
instead of doing work for them. I fail to see the security implications
here for the common user, why would someone want to lock out a user
without deleting the account except a system admin, who presumably would
know what to do and would not need a 'simple one-step process'. I'd
wager most Arch users simply have 1 account they use all the time, and
perhaps a guest account for others to use.

This isn't a security hole, and it isn't the responsibility of Arch devs
to make decisions for the users except in extreme cases.



More information about the arch-general mailing list