Skip to content

Security: exatel/pam_tacplus

Security

SECURITY.md

Security Policy

Security assumptions

pam_tacplus and libtac are both used with privileges of the calling user and process the following external data:

  • user data - login and password strings, which are considered untrusted and are subject to security validation
  • configuration data - parameters set in PAM configuration file in /etc/pam.d such as server address or secret, which are considered trusted and are subject to basic semantic validation

Code in tests is not assumed to perform any security validation.

Supported Versions

All versions of pam_tacplus and libtac are supported.

Reporting a Vulnerability

For low and medium level vulnerabilities please create an issue or pull request with fixes.

For high severity issues please contact Paweł Krawczyk, numerous secure means of communication are supported.

There aren’t any published security advisories