In message <200309082011.h88KBqQ19435@srapc342.sra.co.jp>, Noriyuki Soda writes
:
>>>>>> On Mon, 08 Sep 2003 14:55:05 -0500,
>	seebs@plethora.net (Peter Seebach) said:
>> I cannot see what is magic about screensavers.

>The magic is that screensavers don't need to authorization.
>The screensaver processes already have enough privilege,
>what they just need to perform is authenticaion only.

Hmm.  Still, can we be sure that no PAM module ever needs access to the
"real" authentication client's address space to authenticate correctly?

>> And yet, you still come down to one of two cases:
>> 1.  The access to the database happens in the radius server's address space.
>> 2.  PAM modules which would require access to the server's address space
>> to do things correctly won't work.

>No.
>The separated process doesn't have to access server's address space
>with raidus server. Because radius server doesn't need to perform
>authorization in the host.

This is the opposite of what I was told when I asked about why PAM was
useful for radius.

>> In other words, this program is exactly equivalent to a BSD auth program
>> which passes authentication on to other modules after giving them setuid.

>Yes. You are right.
>The difference is that this can provide complete compatibility with
>existing third party PAM modules (and even compatibility with existing
>BSD auth modules, too), in contrast that BSD auth framework cannot
>provide the compatibility.

So far as I can tell, in the cases where the wrapper would work, it can be
either kind of wrapper and work fine.

-s