>>>>> On Tue, 09 Sep 2003 01:17:44 +0900, itojun@iijlab.net said:

>> The same problem exists in BSD auth, too.
>> Because every BSD auth module runs with root privilege, each new	<---
>> module introduces risks that a compromised module modifies other
>> process's state by ptrace(2).

> 	the above statement (arrow) is not true.  authentication modules does
> 	not have to be run in root privilege.

Yeah, you are right.
My expression was somewhat misleading. Thanks for the clarify.

> 	we can reduce the number of setuid root login_xx if we design things
> 	carefully.

I don't think you mean OpenBSD's BSD auth isn't implemented carefully.
Thus, BSD auth needs 6 extra setuid programs and 7 extra setgid
programs as its nature. Right?

Anyways, PAM can reduce the number of setuid programs more than BSD auth.
(If we provide one setuid wrapper for programs like xlock).
Because PAM itself doesn't need any privilege promotion like BSD auth.

Anyway, the reason I prefer PAM is simple.
1. We need PAM anyway, for compatibility with other UNIX.
2. If we implement PAM over BSD auth, some third party PAM modules
  may stop working, because some PAM modules may require the feature
  that they can change the state of the caller process.
3. Thus, we have to implement PAM as a basic feature (and implement
  BSD auth over PAM, if BSD auth compatibility is needed), instead
  of vice versa.
--
soda