Securid env variables?
mackay at kodak.com
mackay at kodak.com
Wed Sep 27 13:39:55 EDT 2000
From: Scott D. MacKay
Hello,
Wanted to drop a question on the SecurID Auth mechanism, based on some
interesting results I had during an install.
The problem I found revolved around the fact that SecurID utilizes 3
variables, as seen in the ACE SecurID examples section, which indicate
where SecurID related material resides. These are, I believe, VAR_ACE,
USR_ACE, and DLC_ACE. I have a concern that a user may be able to set
these before invoking SUDO and cause it to point to a potentailly malicious
area for authentication. I have not reviewed the code well enough to be
positive, though.
I found this because my attemptive build failed to find the securid data
area.
I was able to correct this (and close what I think may be a problem) by
adding the following 3 lines to securid.c at the start of securid_init()
putenv("VAR_ACE=/usr/ace/data");
putenv("USR_ACE=/usr/ace/prog");
putenv("DLC=/usr/ace/rdbms");
I would assume the 'correct' way to do this is via #define settings based
on your 'configure' settings, but wanted to see if others think this is a
problem.
-Scott
More information about the sudo-workers
mailing list