move PAM stack usage to separate helper
So it turns out that I hadn't been using shadow passwords on my other
development box (don't ask) and that's why auth as root worked fine
when just running as an unprivileged user. However, to auth as another
user (such as root), the process embedding pam needs to run as
root. Therefore, split out the actual authentication bits into a small
and easy to audit helper, polkit-grant-helper-pam.
The auth now goes like this:
polkit-gnome <-links with-> libpolkit-grant
^
|
spawns
|
V
/usr/libexec/polkit-grant-helper
^
|
spawns
|
V
/usr/libexec/polkit-grant-helper-pam
where
polkit-grant-helper
is setgid polkit; it links with libdbus and libpolkit.
polkit-grant-helper-pam
is setuid root; it links only with libpam