Peter Seebach wrote:
> In message <Pine.GSO.4.55.0308291053220.26043@fs7.liv.ac.uk>, "Dr R.S. Brooks" 
> writes:
> >No, that's the whole point of PAM.  No magic whatsoever in login (or
> >sshd, ftpd, xdm etc if the sysadmin decides to allow such logins
> >through those routes).  All the magic is contained in the PAM modules,
> >and is turned on by the appropriate configuration in /etc/pam.conf.
> >If you have a binary program which you have purchased from Foobar Inc
> >and it uses PAM, then you will be able to make it behave in the same
> >magic way with the correct entries in pam.conf.
> 
> Okay, I see; so, basically, the idea is that a PAM module doesn't just
> authenticate you, it totally 0wnz you, scribbling whatever it wants wherever
> it wants in your address space.
> 
> That said, there's *some* magic in login - it has to know to load the PAM
> modules.

Everything needing PAM needs to be linked against libpam. If a PAM module
needs to be root, your authenticated process must be priveleged on
its behalf, which is another reason why I don't like it.