1 files changed, 19 insertions, 17 deletions

diff --git a/content/posts/WIP-how-bsd-authentication-works/index.org b/content/posts/WIP-how-bsd-authentication-works/index.org
index 9e1b7d0..0726728 100644
--- a/content/posts/WIP-how-bsd-authentication-works/index.org
+++ b/content/posts/WIP-how-bsd-authentication-works/index.org
@@ -399,23 +399,6 @@
 
   <<here>>
 
-  ---
-  note: In the man page auth_subr it says
-  #+begin_quote
-  path    The full path name of the login script to run.  The call will
-               fail if path does not pass the requirements of the secure_path(3)
-               function.
-  #+end_quote
-  However I don't see this enforced anywhere, I even wrote a small test
-  script to prove that's the case on =vfwall ~/authtest=.
-
-  The manpage also says the path is limited to =/bin/= and =/usr/bin=,
-  which is also not the case.
-
-  Ask jcs about the file descriptor situation, I don't understand it
-  after reading both the man page and source.
-  ---
-
   Inside of =auth_call=, a socket pair of type =PF_LOCAL, SOCK_STREAM=
   is created. This is called the "back channel", and is used to
   communicate with the authentication module. The process then forks,
@@ -555,6 +538,25 @@
   #define  AUTH_PWEXPIRED  0x40            /* password expired */
   #+END_SRC
 
+** COMMENT note
+
+  ---
+  note: In the man page auth_subr it says
+  #+begin_quote
+  path    The full path name of the login script to run.  The call will
+               fail if path does not pass the requirements of the secure_path(3)
+               function.
+  #+end_quote
+  However I don't see this enforced anywhere, I even wrote a small test
+  script to prove that's the case on =vfwall ~/authtest=.
+
+  The manpage also says the path is limited to =/bin/= and =/usr/bin=,
+  which is also not the case.
+
+  Ask jcs about the file descriptor situation, I don't understand it
+  after reading both the man page and source.
+  ---
+
 ** _auth_spool
 
 ** _recv_fd