>seebs@plethora.net (Peter Seebach), wrote:
>> the caller's address space; this means that, even apart from an intentional
>> attack, that a bug in a PAM module can do things within an otherwise
>> carefully-audited program.  Each new module introduces that risk all over
>The same problem exists in BSD auth, too.
>Because every BSD auth module runs with root privilege, each new	<---
>module introduces risks that a compromised module modifies other
>process's state by ptrace(2).

	the above statement (arrow) is not true.  authentication modules does
	not have to be run in root privilege.  for instance, login_passwd needs
	to run *in the current form of NetBSD* because accesses to /etc/spwd.db
	needs root privilege.  in fact, OpenBSD login_passwd is not setuid root.
	we can reduce the number of setuid root login_xx if we design things
	carefully.

itojun


# uname -a
OpenBSD tapioca.itojun.org 3.4 GENERIC#78 macppc
# ls -l /usr/libexec/auth
total 304
-r-xr-sr-x  4 root  _token   13792 Sep  6 08:43 login_activ
-r-sr-xr-x  1 root  auth     16320 Sep  6 08:43 login_chpass
-r-xr-sr-x  4 root  _token   13792 Sep  6 08:43 login_crypto
-r-sr-xr-x  1 root  auth      6500 Apr 14  2002 login_krb4
-r-sr-xr-x  1 root  auth      7240 Apr 14  2002 login_krb4-or-pwd
-r-sr-xr-x  1 root  auth      8820 Sep  6 08:43 login_krb5
-r-sr-xr-x  1 root  auth      9556 Sep  6 08:43 login_krb5-or-pwd
-r-sr-xr-x  1 root  auth     13504 Sep  6 08:43 login_lchpass
-r-xr-sr-x  1 root  _shadow   6564 Sep  6 08:43 login_passwd
-r-xr-sr-x  1 root  _radius  12624 Sep  6 08:43 login_radius
-r-xr-xr-x  1 root  auth      4812 Sep  6 08:43 login_reject
-r-xr-sr-x  1 root  auth      6732 Sep  6 08:43 login_skey
-r-xr-sr-x  4 root  _token   13792 Sep  6 08:43 login_snk
-r-xr-sr-x  4 root  _token   13792 Sep  6 08:43 login_token
# ls -l /etc/sp*
-rw-r--r--  1 root  wheel     1876 Jun 18 13:10 /etc/spamd.conf
-rw-r-----  1 root  _shadow  40960 Jun 19 21:54 /etc/spwd.db