In message <200309081734.h88HY8Ae011260@guild.plethora.net>, Peter Seebach writ
es:

>>Because every BSD auth module runs with root privilege, each new
>>module introduces risks that a compromised module modifies other
>>process's state by ptrace(2).
>
>BSD auth modules run with whatever privileges you choose to give them.  If you
>wanted to make one which ran under a non-root user ID, and make it use files
>readable and writable only by that user ID, that would work too.  Some can
>run under whatever uid is trying to log in.
>

While in theory you're right, in practice it may not matter.  If an 
auth module has an exploitable bug, I can probably use it to trick that 
auth module into saying "yes" whenever it's invoked.  In many 
situations, that will let me have the privileges of any user on the 
systenm, which is exactly what 'root' is.  (Remember when Unix systems 
shipped with a user "bin" who owned most of the files in /bin?  It's 
gone now, for good and sufficient reason.)


		--Steve Bellovin, http://www.research.att.com/~smb