On Friday, September 12, 2003, at 10:58  PM, Greg A. Woods wrote:

> [I believe I do know the level of difficulty, and even if I understand 
> it
> only minimally then indeed it isn't very difficult at all.
>
> The overall the process is still identical to the way AFS authorization
> works today.  All we're doing is telling the kernel to create the
> initial Process Authentication Group (PAG) for a different process than
> the caller.  I.e. we're either modifying setpag(2) to take a PID
> parameter, or we're creating a variant called something like
> setpag_parent(2).  We're not creating a PAG and then assigning it to
> some other process so there's no chance for abuse by the superuser.

But you've over-simplified the problem.  Sure, you're suggesting a 
solution for this *one specific case*.  But you are NOT solving the 
general problem, which is that BSD Auth is fundamentally incapable of 
modifying the context of the process requesting the authentication, 
which is a capability that is sometimes necessary and which PAM has.

         -- Jason R. Thorpe <thorpej@wasabisystems.com>