> Sorry; but I'm going to return us to this flamewar...
Let's not continue that. I did want to correct a misconception
on what screenlocks do, however.
> This is an excellent reason for the process which calls PAM _not_ to be an
> external helper. As noted, screensavers don't open sessions. They do call
> pam_authenticate(), and may also call pam_setcred(PAM_REFRESH_CRED)
First they audit that they are locking. This requires privilege
in most (all) systems.
For unlocking they present a trusted path to the user. This
requires some special rights on most (all) systems.
They then pam_authenticate(), pam_acct_mgmt() -- which may return
PAM_AUTHTOK_EXPIRED, if so they call pam_chauthtok() -- then
call pam_setcred(PAM_REFRESH_CRED), potentially all of these
may require on most (all) system.
Finally they audit the screen unlock. This requires privilege
in most (all) system.
Gary..
