Greg A. Woods wrote:
> Fundamentally the failures of BIND and Sendmail have nothing whatsoever
> to do with their monolithic structure -- it's the domain of their
> implementation which has made their implementations error prone, not
> their basic composition as single long-running privileged processes.
> After all the kernel is also a very large and hopefully long running
> program with full privileges, even more than any user-land process it
> services normally has.
> 
> Software written in plain C for Unix using the traditional standard
> library, and especially using NUL-terminated strings carelessly, and not
> following the principles of privilege separation and keeping the
> privileged code as small and simple as possible will lend itself to
> critical programming errors.  The privilege separation is really only
> necessary though because it's very hard to write safe and secure code
> using C and the standard library.  A mathematically proven correct
> "system" could run entirely with the highest privileges and still be
> trusted.

I agree about strings, and the standard library. However, modularizing a
system into more than one process has other advantages than just
privelege separation - the code size is reduced, debugging is easier,
and a fault in one module doesn't bring the whole system down.

With PAM, a fault in a module has a potential to break every service
which relies on it. Whereas with authenticators as separate processes,
the services are unaffected - either deny access or allow it, not crash
and burn by modifying yourself like the PAM module wants you.