In message <20030908174745.DB9DE7B43@berkshire.research.att.com>, "Steven M. Be
llovin" writes:
>While in theory you're right, in practice it may not matter.  If an 
>auth module has an exploitable bug, I can probably use it to trick that 
>auth module into saying "yes" whenever it's invoked.  In many 
>situations, that will let me have the privileges of any user on the 
>systenm, which is exactly what 'root' is.  (Remember when Unix systems 
>shipped with a user "bin" who owned most of the files in /bin?  It's 
>gone now, for good and sufficient reason.)

I think that depends a lot on the auth module.  The thing is, with PAM, your
exploit can basically override anything anywhere in memory.  With BSD Auth,
you have a very narrow window of things you can send to the module, and the
default behavior is to listen only for a very small set of responses.  So,
in most modules, there's no way to start authenticating as anything other
than root, and change to root - and there's not much for ways to pass data
to the authenticator.  Still, it is a potential hole.  TTBOMK, no one has
yet found any exploits for any of the BSD Auth code.

-s