Python PAM 模块的安全问题?
我有兴趣编写一个 PAM 模块,该模块将利用流行的 Unix 登录身份验证机制。我过去的大部分编程经验都是使用 Python 进行的,并且我正在交互的系统已经有一个 Python API。我用谷歌搜索了一下,发现 pam_python,它允许 PAM 模块调用 python 解释器,因此允许 PAM 模块本质上是用 Python 编写的。
但是,我了解到,当允许用户调用以比用户本身更高的访问级别运行的 Python 代码(例如 SUID Python 脚本)时,存在安全风险。这些问题是否也适用于 Python PAM 模块?
I'm interested in writing a PAM module that would make use of a popular authentication mechanism for Unix logins. Most of my past programming experience has been in Python, and the system I'm interacting with already has a Python API. I googled around and found pam_python, which allows PAM modules to invoke the python intrepreter, therefore allowing PAM modules to be written essentially in Python.
However, I've read that there are security risks when allowing a user to invoke Python code that runs with a higher access level than the user itself, such as SUID Python scripts. Are these concerns applicable to a Python PAM module as well?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您提到的安全问题本身并不是关于“允许用户调用以高访问级别运行的 Python 代码”,而是允许用户对运行的运行进行任何形式的控制。此类代码的控制——最明显的是通过注入或更改代码本身,但更巧妙的是,还可以通过控制该进程的环境(例如,控制该代码导入模块的路径)。 (例如,如果用户能够控制 C 编写的代码加载
.so
的路径,则类似的问题也适用 - 尽管操作系统可能会更直接地帮助解决此类问题)。在我看来,
pam_python
能够很好地抵御此类风险,因此它应该可以安全地用于您的目的。但是,请注意文档指出...:因此,如果您认为您提供的机制将会流行,您可能会希望用 C 语言编写模块以避免这些问题。然而,在用 C 语言将其固定之前,用 Python 对其进行原型设计,作为有限分发的概念证明,是一个可行的策略。
The security concerns that you mention aren't, per se, about "allowing the user to invoke Python code" which runs with high access levels, but allowing the user to exercise any form of control over the running of such code -- most obviously by injecting or altering the code itself, but, more subtly, also by controlling that process's environment (and therefore the path from which that code imports modules, for example). (Similar concerns would apply with C-written code if the user was able to control the path from which the latter loads
.so
's for example -- though the OS may help more directly with such a concern).It appears to me that
pam_python
is well armored against such risks, and so it should be safely usable for your purposes. However, do note that the docs point out...:So, if you're right that the mechanism you're supplying will be popular, you will probably want to code your module in C to avoid these issues. However, prototyping it in Python as a proof of concept with limited distribution, before firming it up in C, is a viable strategy.