>>>>> On Mon, 08 Sep 2003 13:06:25 -0500,
	seebs@plethora.net (Peter Seebach) said:

> With PAM, every new screen saver needs to be setuid root

That's not true.
See my description about a setuid wrapper program.

> The option of giving calling programs only those permissions they need to
> perform their function, rather than every permission they could possibly need
> to run an authenticator, is a HUGE feature from a security standpoint.  If
> I want to write a little dongle that just locks my terminal, it can run with
> just *my* priviliges, no matter what the authentication scheme is.

That's not true, either. Most programs (except screensavers) still
need root privilege for authorization.
--
soda