Alan Coopersmith wrote: > Darren J Moffat wrote: >> What other PAM modules (from Linux-PAM or other places) would you like >> to see included in OpenSolaris distros (specifically in Solaris >> Express and the Indiana project distro) ? > > From the screensaver point of view, the one Linux-PAM'ism that's bitten > us most lately is their changes to allow programs to call PAM without > root privileges when checking the current user's authentication (i.e. > in a unlock dialog), so that their screen lock doesn't have to be setuid > root and can use GTK without the split personality we've had to put into > our xscreensaver, and then fix the dozens of bugs it causes. > > Their pam_unix module calls a setuid helper program to get your shadow > entry when needed - not sure if any other modules have or need privs.
Which in my opinion is fundamentally broken behaviour. While it works for the pam_authenticate() call in that specific module in general running pam_authenticate() and pam_setcred() without privilege just won't work for some modules. For example the Solaris pam_unix_cred module won't be able to do its job properly (it won't be insecure but it won't do what it is supposed to do) - while this doesn't actually matter in the screensaver case it does in the general case. I understand the desire not to run the screensaver program with privileges but the component that calls libpam(3pam) API needs to be running with privilege. It isn't and shouldn't be up to the modules to work out what privilege they need. Unfortunately this was never well documented in any PAM documentation so I can easily understand how the setuid helper for authentication was implemented. -- Darren J Moffat
