on Fri, Dec 21, 2001 at 04:20:48PM +0100, Matthias Buelow wrote:
> I'd greatly appreciate a flexible PAM(-like) scenario, tho..  the
> way authentication is ATM is a bit unsatisfactory, IMHO.  Some kind
> of PAM daemon which is dynamically linked and which organizes
> loading of modules and to which statically linked programs connect
> via IPC would be ok, also... that way static binaries could fallback
> to traditional stuff if the pam daemon is not available (due to
> hosed libraries or whatever.)  That method would be more elegant
> than each program loading the respective modules itself via a
> pam library, even, and is a lot more failsafe.

What about a passwdfs, implemented in a similar way to portalfs? This could
be set up in a way such that a binary that does authentication doesn't
necessarily need to be s[gu]id or run as root.

    echo 'mypass' >/pass/myuser/chk; echo $?

assuming echo checks the return value of write(2).

Tying authentication down to the filesystem in such a way has the
advantage of being able to mount it into chroot environments if needed
or keeping the chroot environment clean of any authentication information.


On migrating to a full dynamically linked system, I like 3 and 4.
/lib could get fubared, but then again, so could /{s,}bin.

Couldn't ld.elf_so be statically linked in, but the rest dynamically
linked? Or am I missing something?