On 07 Oct 2008, at 23:03, Nicolas Williams wrote: > Scriptable interfaces will be. We could make it so that just dropping > in a PAM config file just NOT in /etc/pam.conf AND dropping in > /etc/security.conf suffice. > > [But none of that removes risk from changes like the pam_unix.so.1 > split > up that was done for Solaris 10. So we might want to develop a more > stable PAM customization interface. This is probably a subject for a > separate thread.]
The risk doesn't seem to be that big: as long as the old module is still shipped nothing changes for an admin: they have dropped in their own PAM configuration file and we're not touching it. If that references modules we're no longer using then that's OK, really. If we remove modules the story changes, but then that's the stability level we'd be at: we can't change the behaviour of any of the policy files we ship in /usr/lib/security and we can't drop any modules (even if we stop using them in our configs), but that doesn't seem to be too much of a burden. Bart
