Well, I think I should stop to post to this thread, as Frank said.
But I want to answer Peter's question....

>>>>> On Mon, 08 Sep 2003 15:37:13 -0500,
	seebs@plethora.net (Peter Seebach) said:

>>> I cannot see what is magic about screensavers.

>> The magic is that screensavers don't need to authorization.
>> The screensaver processes already have enough privilege,
>> what they just need to perform is authenticaion only.

> Hmm.  Still, can we be sure that no PAM module ever needs access to the
> "real" authentication client's address space to authenticate correctly?

Well, for the screensaver case, I'm almost sure.
Perhaps I'm missing something, in that case, we should modifty the
interface of the wrapper program, but I'm sure that the wrapper can
be a separated process from screensavers.

>>> In other words, this program is exactly equivalent to a BSD auth program
>>> which passes authentication on to other modules after giving them setuid.

>> Yes. You are right.
>> The difference is that this can provide complete compatibility with
>> existing third party PAM modules (and even compatibility with existing
>> BSD auth modules, too), in contrast that BSD auth framework cannot
>> provide the compatibility.

> So far as I can tell, in the cases where the wrapper would work, it can be
> either kind of wrapper and work fine.

Sorry, my answer "yes" was too simple, the wrapper is similar,
but not *exactly* equivalent to a BSD auth program.
The wrapper program needs some interface that the BSD auth doesn't
provide, to support the following case:

> No.
> The separated process doesn't have to access server's address space
> with raidus server. Because radius server doesn't need to perform
> authorization in the host.
	:
> This is the opposite of what I was told when I asked about why PAM was
> useful for radius.
--
soda