> I understand the desire not to run the screensaver program with
> privileges but the component that calls libpam(3pam) API needs to be
> running with privilege. It isn't and shouldn't be up to the modules to
> work out what privilege they need.
>
> Unfortunately this was never well documented in any PAM documentation so
> I can easily understand how the setuid helper for authentication was
> implemented.
How does this helper architecture present a Trusted Path to the
user:
5.9.1 Trusted Path (FTP_TRP)
5.9.1.1 Explicit: Trusted Path (FTP_TRP_EXP.1)
FTP_TRP_EXP.1.1 The TSF shall provide a communication path between
itself and remote and local users that is logically distinct
from other communication paths and provides assured
identification of the TSF to the requesting user and
protection of the communicated data from disclosure or
undetected modification.
Application Note: This "distinct" path is merely invoked for the
duration of its being needed (e.g., for reauthenticating the
user); it need not be invoked for the duration of the user's
session.
FTP_TRP_EXP.1.2 The TSF shall permit local users and remote users to
initiate communication via the trusted path.
FTP_TRP_EXP.1.3 The TSF shall require the use of the trusted path for
user authentication and user identification during TOE
session establishment, for operations to modify
authentication data, for protection of authentication data
when a locked session is being unlocked and all other
operations requiring a human user to enter authentication
data.
How does it support pam_setcred()?
Gary..
