Subject: Re: BSD auth for NetBSD
To: Jun-ichiro itojun Hagino <itojun@itojun.org>
From: Noriyuki Soda <soda@sra.co.jp>
List: tech-security
Date: 09/14/2003 09:08:10
>>>>> On Sun, 14 Sep 2003 08:07:51 +0900 (JST),
	itojun@itojun.org (Jun-ichiro itojun Hagino) said:

> 	one of the benefit of BSD auth (which has not been mentioned here)

That's already mentioned. See the discussion about screensavers.

> 	with PAM, setuid programs(like /usr/bin/login) needs to stay setuid
> 	root, and they have to introduce dlopen() which can open up a can
> 	of worms.

As already mentioned by me, refering /usr/bin/login as an example
for this is just wrong.
/usr/bin/login doesn't have to be setuid root even with PAM,
it if doesn't need the traditional feature that users can
change their login-user from their login-shell.
The reason that /usr/bin/login has be to setuid root is not
only because it needs authentication, but also because it
needs authorization (i.e. it needs setuid(), setgid() and 
setgroups()) from an unprivileged state (i.e. from login-shell).

If /usr/bin/login doesn't need to change the login-user from a
login-shell, it doesn't need the setuid bit at all, because it is
usually invoked with root privilege (except the login-shell case).

> itojun[starfruit:~] ls -l `find /usr/bin -perm 4555 -print` `find /usr/sbin -perm 4555 -print`

Your example isn't quite right.
Most of your examples (including /usr/bin/login) aren't related to the
PAM vs BSD auth difference.

> 	is that it can reduce the number of setuid root programs directly
> 	invoked from the user.

And as I alreday wrote, this is the point where I think BSD auth
made a mistake. Actually there is only very few number of such programs
except screensavers. And the problem of screensavers can be fixed even
with PAM easily.
So, actual number of setuid programs may rather increases with BSD auth,
due to its authentication modules.
--
soda