This, btw, was yet another reminder of the horrible can of worms #stdio's #buffering is.
I created a little tool running as a child process to do the *actual* #PAM authentication, so it will be possible to have this run as root while the real service drops all privileges. This little tool uses a simple line-based protocol for communication on stdin/stdout. It worked well when testing directly on the terminal.
On the first real test though, my service just went hanging. 
I suspected a deadlock caused by pthread mutexes. Wasted quite some time looking into that. Then I finally realized communication over the pipes was stalled.
Ok, just set buffering mode to "line buffering" after fdopen'ing the #pipe. Turned out that didn't help either. I *assume* that even in the child process, the stdio streams automatically created on the pipes were somehow fully buffered. But at that point, I was really fed up with trial and error and rewrote the whole mess to do I/O using plain #POSIX APIs (read, write), sidestepping any buffering. Worked like a charm. 
