>> It occurs to me - would it be worthwhile to have a syntax for the
>> password field in /etc/master.passwd, copied to /etc/passwd by
>> pwd_mkdb, that says "go look in .password in the user's homedir"?
> Interesting idea.  If you change such that ~/.password is a copy
> rather than the repository you might be better off.  Ie. the only
> change would be for getpwent to check ~/.password if euid != 0 and
> for passwd to put a copy of the new hash in there if it already
> exists and is safe etc etc.

Thinking about it, yes, this is the correct way to go.  You do *not*
want anyone who manages to write files as joe to be able to thereby
change joe's password.  (Or maybe you do - perhaps there should be
*two* magic syntaxes, one which says ".password is the repository" and
another which says ".password is a copy".)

> That way the vast bulk of current semantics would hold true yet xlock
> et al would not need to be set-uid.

Yeah - if you manage to write files as joe you can sort-of set joe's
password: you can set it for things running as joe, but not for things
running as root.  Perhaps if getpwent by root notices that .password is
supposed to be a copy but it actually differs, it should log a security
alert?

					der Mouse

			       mouse@rodents.montreal.qc.ca
		     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B