dynamic /bin /sbin
Matthew Dillon
dillon at apollo.backplane.com
Sun Jul 27 11:05:19 PDT 2003
::If the latter: each autentication mechanism is supplied by a
::dynamically-linked "plug-in". Getting an nscd or lookupd to partition -
::ie, sandbox - unstable plugins is a bit more work, but still doable.
::
::The point about libc containing a "fallback" mechanism is precisely so
::that a failure of lookupd won't leave the box _completely_ dead in the
::water.
::
::--
::jan grant, ILRT, University of Bristol. http://www.ilrt.bris.ac.uk/
:
: I would say we definitely want to keep a fallback mechanism in
: libc... a simple spwd (e.g. master.passwd) mechanism ought to be
: sufficient.
:
: I really hate the idea of using dynamically linked plug-ins for
: authentication, at least when used with standard applications.
: I think it's disaster waiting to happen. It might be reasonable
: to use plug-ins for a port service based authentication daemon
: since that is a far more controlled situation.
I'm going to expand on this a bit.. the reason I think authentication
plug-ins are a disaster for standard applications is because it creates
a weak link within the application itself. If you have numerous
authentication mechanisms one bug could put all of your applications
(and the environments they run in, some of which might be encrypted
secure) at risk.
In a more controlled environment, such as in a port service, we can
spend the time necessary to isolate each mechanism in its own VFS/syscall
environment so the absolute worst it can do is mis-authenticate.
That's bad enough, but it is better then the alternative.
-Matt
Matthew Dillon
<dillon at xxxxxxxxxxxxx>
More information about the Kernel
mailing list