On 07 Oct 2008, at 21:16, Nicolas Williams wrote: > But I took Darren's point to go a bit farther: that sysadmins should > have control over what policy each pam_authorized module invocation > referenced in the various pam.conf snippets should use, on a > per-pam.conf snippet basis. > > I think there's a simple way to accomplish that which still makes it > possible for us to have non-editable PAM configurations: > > - Let pam_authorized take a module argument naming the suffix of a > policy.conf variable. > > I.e., "pam_authorized.so.1 FOO" -> pam_authorized uses PAM_AUTHZ_FOO > (or whatever the prefix is, suffixed by "_FOO"). > > - If that can't be found in policy.conf, then fallback on the default > policy.conf variable name.
Why would this be better than having pam_authorized take a module argument that points to a policy profile, and falling back to some default (that could come from policy.conf or better yet host_attr)? Bart
