Subject: Re: BSD Authentication
To: Peter Seebach <seebs@plethora.net>
From: Noriyuki Soda <soda@sra.co.jp>
List: current-users
Date: 09/09/2003 03:18:14
>>>>> On Mon, 08 Sep 2003 13:06:25 -0500,
seebs@plethora.net (Peter Seebach) said:
> With PAM, every new screen saver needs to be setuid root
That's not true.
See my description about a setuid wrapper program.
> The option of giving calling programs only those permissions they need to
> perform their function, rather than every permission they could possibly need
> to run an authenticator, is a HUGE feature from a security standpoint. If
> I want to write a little dongle that just locks my terminal, it can run with
> just *my* priviliges, no matter what the authentication scheme is.
That's not true, either. Most programs (except screensavers) still
need root privilege for authorization.
--
soda