[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: The current (not existing) PAM policy

On Fri, Mar 14, 2003 at 12:45:59AM +0100, Sebastian Rittau wrote:
> The solution to this is quite simple: Every package that comes with PAM
> support should not install a valid PAM file in /etc/pam.d. Instead it
> should come with an example file, maybe called /etc/pam.d/<package>.ex.
> If the administrator wishes to use a custom configuration for this
> package, he can edit this file and rename it properly. Otherwise the
> default configuration in /etc/pam.d/other will get used automatically.
> This would allow administrator to edit only one file, which will get
> used by all PAM using packages.

This would deprive packages like ssh of the ability to set up what the
maintainer considers better defaults (e.g. the extra session stuff). It
also would mean that for example we can't ship with a login that honours
/etc/securetty, at least not via PAM.

I've no problem with trying to achieve more consistency in some
automatic way (maybe having some kind of include mechanism in PAM
configuration files, or otherwise providing a more sophisticated
fallback algorithm?), but I think simply saying that packages are not to
install PAM configuration files but should leave it up to the
administrator is a step backwards, not forwards. Currently the
administrator can intervene if need be, albeit with some awkwardness,
but the defaults are reasonable for simple setups; with your proposal it
would be made easier to maintain complicated setups, but we'd be
requiring novice users to intervene in order to get what we've hitherto
considered sensible defaults. This seems the wrong way round to me.


Colin Watson                                  [cjwatson@flatline.org.uk]

Reply to: