Subject: Politically Correct way of doing password authentication?
To: None <firstname.lastname@example.org>
From: Greg Earle <earle@isolar.Tujunga.CA.US>
Date: 09/16/1994 21:01:54
I needed a screen locker for my NetBSD/SPARC X11 R6 setup, so I pulled over my
favorite multi-purpose "xlock" successor, "xlockmore" (xlockmore-1.12, for
those of you playing along at home). After getting around a couple of thorny
porting problems, I got it working - except for the password authentication.
"xlockmore"/"xlock" wants to do "traditional" password authentication; i.e.,
get the password entry via "getpwnam()" or "getpwuid()", ask the user for a
password and encrypt it with the salt and compare the strings.
Of course, in NetBSD these routines return "*" for the encrypted password field
if the program doesn't run as "root", so no matchee da password.
There is a (half-hearted?) effort at a FreeBSD port included; it punts on this
in the Imakefile via
INSTPGMFLAGS = -s -m 4751
(The "i386FreeBsd" is wrong anyway; should be "FreeBSDArchitecture" instead.)
Normally I'm nervous about installing programs that read the password file (or
database?) setuid root, especially when they only need that priviledge for a
few lines of source :-)
Other than the canonical "login" program, what is the correct (PC or otherwise)
way to deal with this in NetBSD? Leave it installed setuid root and punt? Or
figure out a "proper" way to bracket the password checking code with the
appropriate uid-setting/unsetting calls?
(Sorry, but trying to remember all of the semantics of how - and which - to use
out of setreuid/setruid/setrgid/setuid/seteuid/setgid/setegid just gives me a
headache ... (-: )