On Tue, Sep 09, 2003 at 01:34:17AM +0900, Noriyuki Soda wrote:
> > 	we can reduce the number of setuid root login_xx if we design things
> > 	carefully.
> 
> I don't think you mean OpenBSD's BSD auth isn't implemented carefully.
> Thus, BSD auth needs 6 extra setuid programs and 7 extra setgid
> programs as its nature. Right?
> 
> Anyways, PAM can reduce the number of setuid programs more than BSD auth.
> (If we provide one setuid wrapper for programs like xlock).
> Because PAM itself doesn't need any privilege promotion like BSD auth.

First of all, BSD auth does not need any additional priviledges by itself.
Just those needed for the authenticator. Therefore login, xlock and the
like _never_ need to be setuid root for the purpose of authentication.
That is different from PAM, where every application must be able to deal
with the set-bits just in case. Providing a setuid wrapper doesn't
reduce the number of programs requiring or possible requiring extended
priviledges.

Second the argument of BSD auth needed 6 extra setuid and 7 extra setgid
programs is somewhat misguided. If you use only the local master.passwd
and e.g. radius for authentication, you have two setgid programs on
OpenBSD (login_passwd, login_radius). If you want to restrict the
use of a plugin to a specific group e.g. auth, the various programs using
BSD auth must be setgid auth, too, but that is not necessary and
is only provided as an additional barrier. It is entirely possible
to have xlock with no set-bit at all.

Joerg

> --
> soda
> 
>