On Fri, Dec 22, 2006 at 03:58:18AM +0100, Christian Biere wrote:
> If one wants to limit the use of this helper to programs which are supposed to
> make use of it, you could make them set-gid "may-use-passwd-helper". The helper
> could check for this group using the credentials. In this simple case it might
> as well use getgid() or getegid().

That would defeat the purpose of running without increased privileges.
This helper is supposed to handle one specific problem and do that well:
a program executed by a normal user wants to verify the password of the
very same user. It can't do that using pam_unix as it can't access
master.passwd. Requiring any sgid for the helper is inacceptable as it
means that a user can't exploit this facility with self-compiled
binaries.

Now about possible abuses: root in his wisdom might decide to activate
this for other PAM users by changes in /etc/pam.d. The worst case is
allowing the utilising application to check the password of the user it
is currently running as. This is a configuration bug and IMO the
consequences are not worse than what would happen without this helper.

Joerg