(Moved to tech-userlevel from private discussion)

Noriyuki Soda wrote:
> In summary
> 	PAM:
> 		- all PAM modules are to effect setuid when they are
> 		  called from root privilege processes.
> 	BSD module:
> 		- all BSD auth modules are to effect setuid when they 
> 		  are called from root privilege processes.
> 		- all setuid BSD auth modules are of course setuid,
> 		  even it it is called from normal user.

My understanding of this is that:
* PAM is not necessarily implemented using shared library/objects
  e.g. RedHat is using some external programs for PAM IIRC
* PAM is not really standardized; it's different on every
  system which is using it (Solaris, Linux, FreeBSD at least)

If we compare standard implementation of PAM and BSD auth (i.e.
shared objects for PAM, external programs for BSD auth), we get:

* BSD auth module is small, easy to audit external program; rogue BSD auth
  module cannot do evil things to caller, since they live in separate address
  space and communicate via well-defined API
* BSD auth module does not need to be suid if it's authentication method
  doesn't require root access
* it's easy to provide e.g. Linux PAM-compatible authentication API, if need be
* PAM requires the caller to have necessary permissions to authenticate
  the user; for most systems, that means the caller has to still be (suid) root
* PAM needs dynamic loading support, so doesn't work for statically linked
  programs.

As I see it, BSD auth requires less from the caller, can be used by statically
compiled programs without problems and (suid) caller cannot be attacked
by a bogus PAM module. The only advantage of PAM is that more people
know the TLA PAM, other standardization mostly doesn't exist.

IMHO BSD auth is more suitable from security and usability POW.

Jaromir
-- 
Jaromir Dolecek <jdolecek@NetBSD.org>      http://www.ics.muni.cz/~dolecek/
NetBSD - just plain best OS! -=*=- Got spare MCA cards or docs? Hand me them!