On 07 Oct 2008, at 22:22, James Carlson wrote: > Neither policy.conf nor pam.conf (as far as I can tell) can be > controlled centrally in any convenient way, so if I want to impose > rules on a large organization, I have to choose among: > > - setting the file contents via jumpstart post-install > - creating custom install media > - telling all users how to become root and hack these files > - going old-school with rdist as root > > I think that's the complaint -- having to change a file on every > single machine, rather than having some central way to control policy.
Part of this would be addressed by having things like pam_authorized rely on profiles that live in prof_attr(4). Another part would be addressed by having host-specific policy (a fair chunk of which now lives in policy.conf but also in other files in / etc/default) defined in something like host_attr(4). And for some things local files can't be avoided and in those cases dropping them in should be sufficient. Bart
