Darren J Moffat wrote: > Mahmood Ali - Sun Microsystems wrote: >> What exactly is broken in the setuid helper programs that red hat >> currently uses. I have tried to understand the shortcomings of helper >> program but never quite understood its limitations. If you guys point >> me to exactly what is broken, perhaps we try to fix the broken parts? > > The whole architecture of it is broken. Sure it "fixes" that one > module but what about all the other possible modules in the PAM stack > that are needed to authenticate/setcreds etc ? > You are right, I just remembered we need to have actual conversation with the PAM modules, that would mean listening what the module is asking and showing that to the user and then getting user's response and sending it to the PAM module. And this is the part that the gnome community at large does not entertain. Mostly, they assume authentication is going to be just username/password and do not do any conversation back and forth. This is where the disconnect between us and gnome community is.
But, what is puzzling is how come they have not discovered this brokeness in their code? And what can we do to get them to understand this better? Do we have pam stacks that would break their code, passwd expired case, etc?? --mahmood
