Darren: > Mahmood Ali - Sun Microsystems wrote: >> What exactly is broken in the setuid helper programs that red hat >> currently uses. I have tried to understand the shortcomings of helper >> program but never quite understood its limitations. If you guys point >> me to exactly what is broken, perhaps we try to fix the broken parts? > > The whole architecture of it is broken. Sure it "fixes" that one module > but what about all the other possible modules in the PAM stack that are > needed to authenticate/setcreds etc ?
Note that Mahmood carried on a discussion on the GNOME screensaver-list discussing the merits of the Linux versus Solaris approach towards PAM in the screensaver. http://mail.gnome.org/archives/screensaver-list/2006-February/msg00000.html This discussion was then taken up by me in October, 2007 and we talked about it over a period of 4 months: http://mail.gnome.org/archives/screensaver-list/2007-October/msg00000.html http://mail.gnome.org/archives/screensaver-list/2007-November/msg00000.html http://mail.gnome.org/archives/screensaver-list/2007-December/msg00003.html http://mail.gnome.org/archives/screensaver-list/2008-January/msg00000.html I cc:ed Gary Winiger on some of these emails, hoping to get some input from somebody who really understands PAM, but he never responded. It would be helpful to get some feedback about this discussion from people on the security team, since I suspect the people on the screensaver-list so far are probably not really PAM experts. I know I'm not, and I am not sure I've represented the "Sun way" of doing things 100% accurately. It would be even better if more security experts could get involved with this discussion on the screensaver-list, and perhaps help everybody develop a better understanding of the pros/cons, why we do things different, how to move forward, etc. The gnome-screensaver maintainer seems agreeable to allowing us to modify gnome-screensaver as needed to make it work on Solaris. However, he seems to be interested in reviewing patches more than discussing security theory. :) At any rate, he doesn't seem interested in doing the work for us to make gnome-screensaver work on Solaris. Brian
