On Fri, Oct 03, 2008 at 11:53:19AM -0700, Glenn Faden wrote: > In PSARC/2005/275, we are dealing with sets of records that follow > pam.conf syntax, so it makes sense to represent these as files. But, we > should avoid creating new configuration files when we don't need them.
Back when I wanted pam_user_policy to have a default PAM configuration as an argument. One of the problems with doing that is that it impedes getting to the point where pam.conf (and pam.conf fragments meant to be included or pam_eval()ed) is *never* edited, and so it impedes us getting away from i.pamconf (or converting it into a service in the IPS world). That was Gary's argument, and I think it's a very good one too. I'd much rather see to it that PAM modules have no useful configuration passed in as arguments that can't be provided in some other way instead. > For this case, the existing prof_attr database already bundles > authorizations, and we have a schema for representing them in LDAP, or > other name services. So the use of a profile name, rather than a file > name or URI avoids the need to create new files. Oh yes, I suppose that we don't need a file for this, provided that we can name a profile (that users wouldn't necessarily have granted to them) that lists the authorizations meant for pam_authorized to use. Either way, as long as the authorizations are not a module argument to pam_authorized, I'll be happy. Nico --
