Re: porting PAM

A ghost from the past rises again...

http://mail-index.netbsd.org/tech-userlevel/2001/06/26/0000.html

Noriyuki Soda wrote:
> In summary
> PAM:
> - all PAM modules are to effect setuid when they are
> called from root privilege processes.
> BSD module:
> - all BSD auth modules are to effect setuid when they
> are called from root privilege processes.
> - all setuid BSD auth modules are of course setuid,
> even it it is called from normal user.

My understanding of this is that:
* PAM is not necessarily implemented using shared library/objects   e.g. RedHat is using some external programs for PAM IIRC * PAM is not really standardized; it's different on every   system which is using it (Solaris, Linux, FreeBSD at least)

If we compare standard implementation of PAM and BSD auth (i.e. shared objects for PAM, external programs for BSD auth), we get:

• BSD auth module is small, easy to audit external program; rogue BSD auth module cannot do evil things to caller, since they live in separate address space and communicate via well-defined API
• BSD auth module does not need to be suid if it's authentication method doesn't require root access
• it's easy to provide e.g. Linux PAM-compatible authentication API, if need be
• PAM requires the caller to have necessary permissions to authenticate the user; for most systems, that means the caller has to still be (suid) root
• PAM needs dynamic loading support, so doesn't work for statically linked programs.

As I see it, BSD auth requires less from the caller, can be used by statically compiled programs without problems and (suid) caller cannot be attacked by a bogus PAM module. The only advantage of PAM is that more people know the TLA PAM, other standardization mostly doesn't exist.

IMHO BSD auth is more suitable from security and usability POW.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related openbsd.org Links advocacy announce bugs ipv6 misc ports ports-changes security-announce smp source-changes tech Request more information about Pantek

Bob Beck wrote:

>>Now of course Theo was talking about something other than PAM. But
Received on Wed May 28 10:29:43 2003