John F. Woods writes:

> Michael L. VanLoon writes:

>> This is good.  But what if a user program want's to validate his/her
>> own password?  Shouldn't this return a valid password entry if the
>> requested uid is the same as the effective uid, or effective uid is 0?
>> Currently, this breaks the new xlock (xlockmore).

>I believe the general theory here is that different subsystems should use
>*different* passwords; it is, by this light, an _error_ that xlock wants
>to use the login password.  After all, the same key doesn't open your car
>and your home, does it?

I'm not sure I agree with this.  Having a zillion different passwords
for everything you use isn't terribly productive.  Kerberos here at
ISU gives us a secure way to modify client programs like screen so
they can use your One True Password without compromising security.

I guess the answer to the xlockmore problem is to modify it to check
real uid instead of effective, then install it setuid-root.

				--Michael

-----------------------------------------------------------------------------
 Michael L. VanLoon                 Iowa State University Computation Center
    michaelv@iastate.edu                    Project Vincent Systems Staff
  Free your mind and your machine -- NetBSD free Un*x for PC/Mac/Amiga/etc.
-----------------------------------------------------------------------------

------------------------------------------------------------------------------