> Once you pick a user to start the authentication flow, it forks off a special helper that's marked setuid root so it can interact with PAM (unfortunately, arbitrary PAM modules can assume things about root credentials).
Does this mean we could remove the helper's setuid mark if we know the PAM modules we need don't assume things about root credentials? Would we even need the helper then?
Yeah, probably, but PAM modules have a habit of crashing and can load arbitrary libraries, so for such a big system component I would still keep it isolated. But if you think you can trust it...
Does this mean we could remove the helper's setuid mark if we know the PAM modules we need don't assume things about root credentials? Would we even need the helper then?