Subject: Re: group for access to the password database
To: None <>
From: Steven M. Bellovin <>
List: tech-security
Date: 07/13/2000 14:07:38
  by with SMTP; 13 Jul 2000 18:07:56 -0000
	by (Postfix) with ESMTP
	id F2B074CE27; Thu, 13 Jul 2000 14:07:55 -0400 (EDT)
	by (8.8.7/8.8.7) with ESMTP id OAA01436;
	Thu, 13 Jul 2000 14:07:54 -0400 (EDT)
	by (Postfix) with ESMTP
	id 244C235DC2; Thu, 13 Jul 2000 14:07:41 -0400 (EDT)
From: "Steven M. Bellovin" <>
Cc: matthew green <>, (NetBSD Security Technical Discussion List)
Subject: Re: group for access to the password database 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Thu, 13 Jul 2000 14:07:38 -0400
Message-Id: <>

In message <>, Luke Mewburn writes:
>"Steven M. Bellovin" writes:
>>> ... or a little daemon you talk to over a unix socket with creditials,
>>> that way there is no set*id program at all.
>> That's a less-portable solution.  NetBSD is in better shape if it 
>> doesn't have to worry about maintaing a patch to xlock et al. for the 
>> indefinite future.
>Not necessarily; if the communication was done inside getpw*() it
>would be transparent to the caller, just as the decision to use
>/etc/passwd or /etc/master.passwd in the current code is transparent
>to the caller.
I had suggested a mechanism that just gave a Y/N answer, rather than 
one that passed back the hash password.

		--Steve Bellovin