Noriyuki Soda wrote:
> > I did, and if it is correct that some PAM modules need to be able to
> > change the state of the caller, then those PAM modules cannot be run
> > under the setuid wrapper - they will not have access to the *actual*
> > caller.
> 
> It seems you are misunderstanding here.
> PAM modules need to able to change the state of the caller, if
> it's called from programs like getty, ftpd, rlogind, rshd and telnetd.

And that, again IMO is the fundamental design flaw in PAM.

> Thanks you.
> And in that case, does BSD auth provides better security than PAM?
> No.

Of course, it doesn't change the state of the caller, whether the caller
is a wrapper or not.

> BSD auth does need its setuid root module, too.

But there's necessity for the root privelege to be dropped when not
needed, and there is necessity for the root code to be easily auditable.