In message <200309081555.h88FtHv14212@srapc342.sra.co.jp>, Noriyuki Soda writes
:
>seebs@plethora.net (Peter Seebach), wrote:
>> the caller's address space; this means that, even apart from an intentional
>> attack, that a bug in a PAM module can do things within an otherwise
>> carefully-audited program.  Each new module introduces that risk all over

>The same problem exists in BSD auth, too.

Not necessarily.

>Because every BSD auth module runs with root privilege, each new
>module introduces risks that a compromised module modifies other
>process's state by ptrace(2).

BSD auth modules run with whatever privileges you choose to give them.  If you
wanted to make one which ran under a non-root user ID, and make it use files
readable and writable only by that user ID, that would work too.  Some can
run under whatever uid is trying to log in.

-s