* Notes https://web.archive.org/web/20170327150148/http://www.penzin.net/bsdauth/ - In the man page for [[https://man.openbsd.org/auth_subr.3#auth_call][=auth_call=]] it says #+begin_src text path The full path name of the login script to run. The call will fail if path does not pass the requirements of the secure_path(3) function. #+end_src However I don't see this enforced anywhere, I even wrote a small test script to prove it. #+CAPTION: =authfail.c= #+begin_src c #include #include #include #include int main(void) { auth_session_t *as; as = auth_open(); auth_call(as, "/home/dante/auth_tests/authtest/test", "hello", NULL); auth_close(as); } #+end_src Changing ="/home/dante/auth_tests/authtest/test"= to the location of the =test= binary. #+CAPTION: =test.c= #+begin_src c #include int main(void) { printf("Hello! I don't have a secure path!\n"); return 0; } #+end_src #+CAPTION: =Makefile= #+begin_src makefile CFLAGS = -Wall -Wextra run: authfail test ./authfail authfail: authfail.c $(CC) -o $@ $(CFLAGS) $< test: test.c $(CC) -o $@ $(CFLAGS) $< #+end_src Which results in the following: #+begin_src text $ pwd && ls -l && make /home/dante/auth_tests/authtest total 12 -rw-r--r-- 1 dante dante 143 May 30 19:20 Makefile -rw-r--r-- 1 dante dante 248 May 29 19:30 authfail.c -rw-r--r-- 1 dante dante 115 May 29 19:22 test.c cc -o authfail -Wall -Wextra authfail.c cc -o test -Wall -Wextra test.c ./authfail Hello! I don't have a secure path! #+end_src - The manpage also says the path is limited to =/bin/= and =/usr/bin=, which is also not the case. - The man page describes the interface for =auth_getitem= is in the format of =AUTH_=, but in reality it is =AUTHV_=. # Ask jcs about the file descriptor situation, I don't understand it # after reading both the man page and source. - The [[#auth_getchallenge][=auth_getchallenge=]] function in the [[https://man.openbsd.org/auth_subr.3#auth_getchallenge][=auth_subr(3)=]] man page doesn't seem to exist in the source code. ** TODO How are these configured in login.conf?