Subject: Re: "BSD Authentication"
To: David Holland <dholland@cs.toronto.edu>
From: UNIX hacker and security officer <greywolf@starwolf.starwolf.com>
List: current-users
Date: 11/23/1998 13:27:15
David Holland sez:
/*
* > One of the advantages of BSD Auth is that a non-setuid program can
* > do authentication checks that require setuid, because the
* > authentication program can be setuid. I don't think PAM can do
* > this. This might be a plus for, e.g., screen savers.
*
* Screen savers shouldn't be doing authentication checks. Remember
* lock(1)? It would ask you for a passphrase before locking. xlock
* should be exactly the same way.
"No. it shouldn't."
1) xlock allows you to provide a crypted password for use at lock time.
2) You should be able to unlock a screensaver with the root password!
(Otherwise a screensaver could be considered DoS.) Or you should
be allowed to use your own password without having to type it in
(that's antiquated, you've got to admit).
3) Currently, xlock needs to be setuid root because it can't get passwords
otherwise.
It seems to this country wolf that something by which password authentication
can be done securely without compromising the integrity of the rest of the
system would be better than what we've got now.
* --
* - David A. Holland | (please continue to send non-list mail to
* dholland@cs.utoronto.ca | dholland@hcs.harvard.edu. yes, I moved.)
*/
--*greywolf;
--
System V was a mistake.