Subject: Re: RFC: migration to a fully dynamically linked system
To: None <tech-userlevel@netbsd.org>
From: None <xs@kittenz.org>
List: tech-userlevel
Date: 12/21/2001 16:23:46
on Fri, Dec 21, 2001 at 04:20:48PM +0100, Matthias Buelow wrote:
> I'd greatly appreciate a flexible PAM(-like) scenario, tho.. the
> way authentication is ATM is a bit unsatisfactory, IMHO. Some kind
> of PAM daemon which is dynamically linked and which organizes
> loading of modules and to which statically linked programs connect
> via IPC would be ok, also... that way static binaries could fallback
> to traditional stuff if the pam daemon is not available (due to
> hosed libraries or whatever.) That method would be more elegant
> than each program loading the respective modules itself via a
> pam library, even, and is a lot more failsafe.
What about a passwdfs, implemented in a similar way to portalfs? This could
be set up in a way such that a binary that does authentication doesn't
necessarily need to be s[gu]id or run as root.
echo 'mypass' >/pass/myuser/chk; echo $?
assuming echo checks the return value of write(2).
Tying authentication down to the filesystem in such a way has the
advantage of being able to mount it into chroot environments if needed
or keeping the chroot environment clean of any authentication information.
On migrating to a full dynamically linked system, I like 3 and 4.
/lib could get fubared, but then again, so could /{s,}bin.
Couldn't ld.elf_so be statically linked in, but the rest dynamically
linked? Or am I missing something?