Python PAM 模块的安全问题?

发布于 2024-08-05 17:38:18 字数 355 浏览 14 评论 0原文

我有兴趣编写一个 PAM 模块,该模块将利用流行的 Unix 登录身份验证机制。我过去的大部分编程经验都是使用 Python 进行的,并且我正在交互的系统已经有一个 Python API。我用谷歌搜索了一下,发现 pam_python,它允许 PAM 模块调用 python 解释器,因此允许 PAM 模块本质上是用 Python 编写的。

但是,我了解到,当允许用户调用以比用户本身更高的访问级别运行的 Python 代码(例如 SUID Python 脚本)时,存在安全风险。这些问题是否也适用于 Python PAM 模块?

I'm interested in writing a PAM module that would make use of a popular authentication mechanism for Unix logins. Most of my past programming experience has been in Python, and the system I'm interacting with already has a Python API. I googled around and found pam_python, which allows PAM modules to invoke the python intrepreter, therefore allowing PAM modules to be written essentially in Python.

However, I've read that there are security risks when allowing a user to invoke Python code that runs with a higher access level than the user itself, such as SUID Python scripts. Are these concerns applicable to a Python PAM module as well?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

摘星┃星的人 2024-08-12 17:38:18

您提到的安全问题本身并不是关于“允许用户调用以高访问级别运行的 Python 代码”,而是允许用户对运行的运行进行任何形式的控制。此类代码的控制——最明显的是通过注入或更改代码本身,但更巧妙的是,还可以通过控制该进程的环境(例如,控制该代码导入模块的路径)。 (例如,如果用户能够控制 C 编写的代码加载 .so 的路径,则类似的问题也适用 - 尽管操作系统可能会更直接地帮助解决此类问题)。

在我看来,pam_python 能够很好地抵御此类风险,因此它应该可以安全地用于您的目的。但是,请注意文档指出...:

从 Python 编写 PAM 模块会产生问题
很大的性能损失和
需要安装Python,所以它
不是写作的最佳选择
将被广泛使用的模块。

因此,如果您认为您提供的机制将会流行,您可能会希望用 C 语言编写模块以避免这些问题。然而,在用 C 语言将其固定之前,用 Python 对其进行原型设计,作为有限分发的概念证明,是一个可行的策略。

The security concerns that you mention aren't, per se, about "allowing the user to invoke Python code" which runs with high access levels, but allowing the user to exercise any form of control over the running of such code -- most obviously by injecting or altering the code itself, but, more subtly, also by controlling that process's environment (and therefore the path from which that code imports modules, for example). (Similar concerns would apply with C-written code if the user was able to control the path from which the latter loads .so's for example -- though the OS may help more directly with such a concern).

It appears to me that pam_python is well armored against such risks, and so it should be safely usable for your purposes. However, do note that the docs point out...:

Writing PAM modules from Python incurs
a large performance penalty and
requires Python to be installed, so it
is not the best option for writing
modules that will be used widely.

So, if you're right that the mechanism you're supplying will be popular, you will probably want to code your module in C to avoid these issues. However, prototyping it in Python as a proof of concept with limited distribution, before firming it up in C, is a viable strategy.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文