>>>>> On Mon, 08 Sep 2003 13:51:54 -0500,
	seebs@plethora.net (Peter Seebach) said:

>>> With PAM, every new screen saver needs to be setuid root

>> That's not true.
>> See my description about a setuid wrapper program.

> Ahh, but this won't work - the whole point of PAM is that the actual
> program needing authentication has to have the PAM module in its address
> space so the client's address space can be altered.

Sorry, I cannot understand your argument here.
The problem with screensavers is that such programs have root
privilege needlessly. If we have the wrapper program, we don't have to
have the problem at all, because no screensaver needs to be setuid
root, and we only have one setuid program with PAM instead of 6 extra
setuid programs and 7 extra setgid programs like BSD auth needs.

> If, in fact, a setuid wrapper program is sufficient for PAM, then we
> can do PAM-over-BSD-auth.

That's not true.
Please read my point 2 in Message-Id:
<200309081634.h88GYH514983@srapc342.sra.co.jp>

>>> just *my* priviliges, no matter what the authentication scheme is.

>> That's not true, either. Most programs (except screensavers) still
>> need root privilege for authorization.

> No, they need to use root privileges to do something once authorized.

It seems you are ignoring the fact that getty, ftpd, rlogind, rshd,
telnetd, and any other programs which perform authentication (except
screensavers) already have root privilege before performing
authentication.

Please show an example, which performs authentication but doesn't need
root privilege, except screensavers.
(The reason I'm skipping screensavers here is because the problem of
 screensavers can be fixed very easily even with PAM as I said above.)
--
soda