Authentication against Active Directory page
Alan DeKok
aland at deployingradius.com
Sat Sep 23 22:20:10 CEST 2006
James J J Hooper <jjj.hooper at bristol.ac.uk> wrote:
> Does FreeRADIUS taint check (i.e. escape certain characters)? If not,
> does the plain text password auth bit of the page have security
> considerations?
No. It doesn't need to. That's the responsibility of the program
being executed.
i.e. FreeRADIUS calls the "execve" function, not "system", so the
shell is never used, and *no* input characters are special.
i.e. Try passing the string "$$" as the User-Name in the examples on
the web page. You will see "$$" being passed as an argument, and not
the PID of the shell.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
More information about the Freeradius-Users
mailing list