current-users: Re: BSD Authentication

Subject: Re: BSD Authentication
To: Peter Seebach <seebs@plethora.net>
From: Noriyuki Soda <soda@sra.co.jp>
List: current-users
Date: 09/09/2003 04:23:50
>>>>> On Mon, 08 Sep 2003 14:14:28 -0500,
	seebs@plethora.net (Peter Seebach) said:

>> Sorry, I cannot understand your argument here.
>> The problem with screensavers is that such programs have root
>> privilege needlessly. If we have the wrapper program, we don't have to
>> have the problem at all, because no screensaver needs to be setuid
>> root, and we only have one setuid program with PAM instead of 6 extra
>> setuid programs and 7 extra setgid programs like BSD auth needs.

> But everyone has been saying that it is *necessary* that a PAM module
> be run in the caller's address space; that this feature is required by
> real-world PAM modules.

Yes. But with screensavers, "the caller" isn't a screensaver, but the
wrapper program.

> If a setuid wrapper program to run authentication works, then that
> feature must be optional.

Yes, in above sense.

>>> If, in fact, a setuid wrapper program is sufficient for PAM, then we
>>> can do PAM-over-BSD-auth.

>> That's not true.
>> Please read my point 2 in Message-Id:
>> <200309081634.h88GYH514983@srapc342.sra.co.jp>

> I did, and if it is correct that some PAM modules need to be able to
> change the state of the caller, then those PAM modules cannot be run
> under the setuid wrapper - they will not have access to the *actual*
> caller.

It seems you are misunderstanding here.
PAM modules need to able to change the state of the caller, if
it's called from programs like getty, ftpd, rlogind, rshd and telnetd.
But PAM modules don't have to change the state, if ti's called from
screensavers.

>> Please show an example, which performs authentication but doesn't need
>> root privilege, except screensavers.

> A radius server.

Thanks you.
And in that case, does BSD auth provides better security than PAM?
No.

In a configuration that BSD auth doesn't need root setuid root
programs with a radius server, PAM doesn't need root privilege for
the raidus server configuration at all.
In a configuration that PAM needs root privilege with the radius server,
BSD auth does need its setuid root module, too.

So, there is no difference about necessity of root privilege
between PAM and BSD auth in this case.
--
soda