Subject: Re: BSD auth for NetBSD
To: Jun-ichiro itojun Hagino <>
From: Noriyuki Soda <>
List: tech-security
Date: 09/16/2003 11:34:30
>>>>> On Sun, 14 Sep 2003 11:19:58 +0900 (JST), (Jun-ichiro itojun Hagino) said:
> 	have you ever used recent OpenBSD?

No. I just looked at their makefile slightly.
That's the reason why I thought they abandoned the feature.

>	login(1) in OpenBSD will exec su(1)
> 	if username is passed, and effectively preserves "login foo" behavior.
> 	if you have commnted without checking the fact, i suggest you to do
> 	fact-checking before you post next time.

Thank you for the clarify.

But that doesn't affect my point.
Let me say my point again:

	The reason why login(1) on OpenBSD isn't setuid root
	isn't because OpenBSD is using BSD auth.

As you pointed out, the reason is because it internally calls
su(1) to switch the user id. And of course, the same thing can be with
PAM, too. Thus, the conclusion is same:

	Refering /usr/bin/login as an example of the benefit of
	BSD auth is just wrong.

If this still doesn't convince you, please re-read what you wrote

You wrote:
>>> programs that needs authentication just need to be setgid "auth" (to
>>> access authentication programs under /usr/libexec/auth).

And look at the mode of /usr/bin/login on OpenBSD, it isn't setgid "auth".