On 07 Oct 2008, at 21:40, Jeffrey Hutzelman wrote: > --On Tuesday, October 07, 2008 07:52:49 PM +0200 Bart Blanquart > <Bart.Blanquart at Sun.COM> wrote: > >> Editing pam.conf or any of the files we ship in /usr/lib/security >> is not >> supported, and upgrading/patching/... will either overwrite them or >> complain (whatever the packaging system does in such cases), but it >> won't merge or modify the file contents. > > In other words, if I want to do something site-specific, I can no > longer do > it by shipping out a new file, now I have to edit some database on > every > machine. _PLEASE_ stop doing that!
Well, we could just keep doing what we're doing now in which case your shipped out file might get mangled because of some complexity that wasn't account for in the pam.conf-editing script that comes with a patch or newer package. Even with the approach I had described there's nothing stopping you from dropping in a default policy.conf, but now that you mention it an alternative could be created that needs no such modification: pam_system_policy checks if there's a PAM_POLICY in policy.conf, and if present uses it. In its absence it checks if there's a /usr/lib/security/ local_pam_configuration, and if present uses it. If that file isn't present it uses some default policy that lives in a /usr/lib/security file. Bart
