Peter Seebach wrote:
> >It seems you are ignoring the fact that getty, ftpd, rlogind, rshd,
> >telnetd, and any other programs which perform authentication (except
> >screensavers) already have root privilege before performing
> >authentication.
> 
> In general, yes.

Of course one of the right things to do for authenticators is to require
the root privelege while it is needed for the authentication, then drop
it as soon as possible. Root privelege code should be minimal, and
should be easy to audit. Try to audit pam-ldap module for example -
huge.

As far as services are concerned, the right thing to do
is to drop root, and chroot to a jail as soon as it's not needed. Too bad
this methodology isn't used often. Sendmail and BIND traditionally
didn't have this feature.  I believe the new BIND finally has this
feature, and the risk for the root exploit is lower with the new BIND.