Alan: > Brian Cameron wrote: >> Some Linux people say that this approach is better because it follows >> "least privilege" principles, only providing authority to code that >> needs it rather than running the whole PAM stack as root. >> >> However, on Solaris we have more sophisticated "least privilege" >> technologies that allow us to easily run PAM modules as root and >> drop privileges that are not needed. > > How can we do that when we have no idea what privileges PAM modules we've > never seen may need? For instance, if we dropped the fork/exec privilege > it would break PAM modules that did use helper programs for whatever reason.
Sorry, I wasn't trying to suggest that we should use least privilege in any particular way with PAM. I was just highlighting that on Solaris we probably think about least privilege in different ways than they do on Linux. > Short of extending pam.conf to list required privileges for each module, and > then having the PAM library drop those not needed, I don't see any way we can > safely apply least privilege to PAM clients like xscreensaver. Although using least-privilege might not make sense with PAM modules, it does seem a good idea to try to take advantage of least privilege technologies when possible. Your suggestion to make it possible to configure the privileges for PAM modules seems like it wouldn't be a horrible idea. Brian
