> On Feb 15, 2022, at 5:13 PM, Mouse <mo...@rodents-montreal.org> wrote:
>
>> There really should be a function that takes a user name or ID and a clearte$
>
> Maybe. But then you have a lot more failure modes and a lot more
> possible attack surface. It would also mean that you can't check or
> change passwords in single-user mode without starting the magic daemon;
> that would be a substantial regression as far as user experience goes,
> if nothing else. And what about checking the root password for
> single-user boot with insecure console?
You put the fallback logic into the function libc that can satisfy the request
using the Old Way if the helper isn’t available. Obviously, to satisfy it the
Old Way, the process would need to have root privileges, but this would be OK
in the scenario you’re describing.
> It _is_, however, very much in keeping with the "encapsulate
> single-purpose code into a single place" attitude that has brought a
> lot of benefits. I wonder if there isn't some better way I'm missing.
It’s certainly a lot better than having a big complex program (that exposes
itself to the network, potentially) require root privileges just to check
passwords.
-- thorpej
