+ We must turn off our SIGCHLD handler for the duration of the call to
+ pam_authenticate(), because in some cases, the underlying PAM code
+ will do this:
+
+ 1: fork a setuid subprocess to do some dirty work;
+ 2: read a response from that subprocess;
+ 3: waitpid(pid, ...) on that subprocess.
+
+ If we (the ignorant parent process) have a SIGCHLD handler, then there's
+ a race condition between steps 2 and 3: if the subprocess exits before
+ waitpid() was called, then our SIGCHLD handler fires, and gets notified
+ of the subprocess death; then PAM's call to waitpid() fails, because the
+ process has already been reaped.
+
+ I consider this a bug in PAM, since the caller should be able to have
+ whatever signal handlers it wants -- the PAM documentation doesn't say
+ "oh by the way, if you use PAM, you can't use SIGCHLD."