Re: dynamic /bin /sbin

[Matthew Dillon <dillon@xxxxxxxxxxxxxxxxxxxx>]

::If the latter: each autentication mechanism is supplied by a
::dynamically-linked "plug-in". Getting an nscd or lookupd to partition -
::ie, sandbox - unstable plugins is a bit more work, but still doable.
::
::The point about libc containing a "fallback" mechanism is precisely so
::that a failure of lookupd won't leave the box _completely_ dead in the
::water.
::
::-- 
::jan grant, ILRT, University of Bristol. http://www.ilrt.bris.ac.uk/
:
:    I would say we definitely want to keep a fallback mechanism in
:    libc... a simple spwd (e.g. master.passwd) mechanism ought to be
:    sufficient.
:
:    I really hate the idea of using dynamically linked plug-ins for
:    authentication, at least when used with standard applications.
:    I think it's disaster waiting to happen.  It might be reasonable 
:    to use plug-ins for a port service based authentication daemon
:    since that is a far more controlled situation.

    I'm going to expand on this a bit.. the reason I think authentication
    plug-ins are a disaster for standard applications is because it creates 
    a weak link within the application itself.  If you have numerous
    authentication mechanisms one bug could put all of your applications
    (and the environments they run in, some of which might be encrypted
    secure) at risk.

    In a more controlled environment, such as in a port service, we can 
    spend the time necessary to isolate each mechanism in its own VFS/syscall
    environment so the absolute worst it can do is mis-authenticate.
    That's bad enough, but it is better then the alternative.

					-Matt
					Matthew Dillon 
					<dillon@xxxxxxxxxxxxx>