4.2. Choice of a service name

When picking the service-name that corresponds to the first entry in the Linux-PAM configuration file, the application programmer should avoid the temptation of choosing something related to argv[0] . It is a trivial matter for any user to invoke any application on a system under a different name and this should not be permitted to cause a security breach.

In general, this is always the right advice if the program is setuid, or otherwise more privileged than the user that invokes it. In some cases, avoiding this advice is convenient, but as an author of such an application, you should consider well the ways in which your program will be installed and used. (Its often the case that programs are not intended to be setuid, but end up being installed that way for convenience. If your program falls into this category, don't fall into the trap of making this mistake.)

To invoke some target application by another name, the user may symbolically link the target application with the desired name. To be precise all the user need do is, ln -s /target/application ./preferred_name and then run ./preferred_name .

By studying the Linux-PAM configuration file(s), an attacker can choose the preferred_name to be that of a service enjoying minimal protection; for example a game which uses Linux-PAM to restrict access to certain hours of the day. If the service-name were to be linked to the filename under which the service was invoked, it is clear that the user is effectively in the position of dictating which authentication scheme the service uses. Needless to say, this is not a secure situation.

The conclusion is that the application developer should carefully define the service-name of an application. The safest thing is to make it a single hard-wired name.