On Tue, Oct 07, 2008 at 11:53:46PM +0200, Bart Blanquart wrote: > > On 07 Oct 2008, at 21:16, Nicolas Williams wrote: > > But I took Darren's point to go a bit farther: that sysadmins should > > have control over what policy each pam_authorized module invocation > > referenced in the various pam.conf snippets should use, on a > > per-pam.conf snippet basis. > > > > I think there's a simple way to accomplish that which still makes it > > possible for us to have non-editable PAM configurations: > > > > - Let pam_authorized take a module argument naming the suffix of a > > policy.conf variable. > > > > I.e., "pam_authorized.so.1 FOO" -> pam_authorized uses PAM_AUTHZ_FOO > > (or whatever the prefix is, suffixed by "_FOO"). > > > > - If that can't be found in policy.conf, then fallback on the default > > policy.conf variable name. > > Why would this be better than having pam_authorized take a module > argument that points to a policy profile, and falling back to some > default (that could come from policy.conf or better yet host_attr)?
Because you'd not ever have to change any PAM config to set that.
