On Thu, Mar 06, 2008 at 11:00:06AM -0800, Alan Coopersmith wrote: > How can we do that when we have no idea what privileges PAM modules we've > never seen may need? For instance, if we dropped the fork/exec privilege > it would break PAM modules that did use helper programs for whatever reason.
PAM modules may require any and all [zone] privileges. Using PAM requires all [zone] privileges. This does not mean that you can't proxy PAM calls from one process to another, if you really want -- arguably embedded_su(1) does just that). But pam_setcred(3PAM) will only apply to the caller's process, not its "client," so that is going to be an issue. Happily, in this case, not, because the screen lock program always exits when the screen is unlocked -- it certainly doesn't start sessions, but if it did those would have to be fork()ed from the process that makes the PAM calls. Nico --
