Subject: Politically Correct way of doing password authentication?
To: None <>
From: Greg Earle <earle@isolar.Tujunga.CA.US>
List: current-users
Date: 09/16/1994 21:01:54
I needed a screen locker for my NetBSD/SPARC X11 R6 setup, so I pulled over my
favorite multi-purpose "xlock" successor, "xlockmore" (xlockmore-1.12, for
those of you playing along at home).  After getting around a couple of thorny
porting problems, I got it working - except for the password authentication.

"xlockmore"/"xlock" wants to do "traditional" password authentication; i.e.,
get the password entry via "getpwnam()" or "getpwuid()", ask the user for a
password and encrypt it with the salt and compare the strings.

Of course, in NetBSD these routines return "*" for the encrypted password field
if the program doesn't run as "root", so no matchee da password.

There is a (half-hearted?) effort at a FreeBSD port included; it punts on this
in the Imakefile via

	#if defined(i386FreeBsd)
	   INSTPGMFLAGS = -s -m 4751

(The "i386FreeBsd" is wrong anyway; should be "FreeBSDArchitecture" instead.)

Normally I'm nervous about installing programs that read the password file (or
database?) setuid root, especially when they only need that priviledge for a
few lines of source :-)

Other than the canonical "login" program, what is the correct (PC or otherwise)
way to deal with this in NetBSD?  Leave it installed setuid root and punt?  Or
figure out a "proper" way to bracket the password checking code with the
appropriate uid-setting/unsetting calls?

(Sorry, but trying to remember all of the semantics of how - and which - to use
 out of setreuid/setruid/setrgid/setuid/seteuid/setgid/setegid just gives me a
 headache ... (-: )

	- Greg