When picking the service-name that corresponds to the first entry
in the /etc/pam.conf
file, the application programmer should
avoid the temptation of choosing something related to
argv[0]
. It is a trivial matter for any user to invoke any
application on a system under a different name -- this should not be
permitted to cause a security breach.
To invoke some target
application by another name, the user may
symbolically link the target application with the desired name. To be
precise all the user need do is,
ln -s /target/application ./preferred_name
and then run ./preferred_name
By studying the Linux-PAM configuration file,
/etc/pam.conf
, an attacker can choose the preferred_name
to be that of a service enjoying minimal protection; for example a
game which uses Linux-PAM to restrict access to certain hours of
the day. If the service-name were to be linked to the filename under
which the service was invoked, it is clear that the user is
effectively in the position of dictating which authentication scheme
the service uses. Needless to say, this is not a secure situation.
The conclusion is that the application developer should carefully define the service-name of an application. The safest thing is to make it a single hard-wired name.