On Tue, Oct 07, 2008 at 03:40:10PM -0400, Jeffrey Hutzelman wrote: > --On Tuesday, October 07, 2008 07:52:49 PM +0200 Bart Blanquart > <Bart.Blanquart at Sun.COM> wrote: > > > Editing pam.conf or any of the files we ship in /usr/lib/security is not > > supported, and upgrading/patching/... will either overwrite them or > > complain (whatever the packaging system does in such cases), but it > > won't merge or modify the file contents. > > In other words, if I want to do something site-specific, I can no longer do > it by shipping out a new file, now I have to edit some database on every > machine. _PLEASE_ stop doing that!
The alternative is maintaining complex and *brittle* pam.conf editing programs. We've had a lot of trouble with those. Worse, we consider pam.conf fair game and may not preserve your customizations on minor releases. We're talking about fixing that problem. I agree that for Solaris 10 update releases we should not follow this approach, but for OpenSolaris I believe we must. And no, you don't have to edit a database, at least not for the files backend. You may have to edit /etc/security/policy.conf(4), but only once. And even better, we may provide better interfaces for PAM configuration than $EDITOR (kclient(1M) already does, imagine us extending that into a single, simple utility). Basically, we're trying to get to a point where you: a) pick from a set of common and useful *stock* policies OR design your own; b) if you design your own then you express it through PAM configuration snippets; c) configure the use of the selected policy *once* through keys in prof_attr(4) and/or policy.conf(4) Or, better, through a sysadmin tool [see comment above about kclient]... d) on upgrade you need only worry about making changes to customer policies; Because we're an open community and responsive we'll look at integrating all custom policies that use only modules shipped with Solaris. We'll also look at integrating FOSS PAM modules. So that for most of you there should not ever be a PAM configuration issue on upgrade. I think this is a very worthy goal. Nico --
