On 07 Oct 2008, at 23:46, Nicolas Williams wrote: > That's what happened when pam_unix.so.1 was split: the old one was > removed.
I'm assuming that the previous pam_unix.so.1 wasn't deemed to be a stable interface. So for the future we probably should make a reasonable (sub)set of the pam modules be stable, so other snippets can be written. > I agree that the PAM config snippets we deliver in /usr/lib/security > have Committed semantics. That's clearly a good thing. > > The problem is that anyone writing their own such snippets won't be > able > to expect them to be stable, at least across minor releases of > [Open]Solaris. The same applies to /etc/pam.conf itself today. > ALTERNATIVELY we must do heroic PAM config upgrade scripting. If someone writes a snippet that uses only modules whose invocation is "stable" why wouldn't it be ok to expect that to be stable too? Upgrading from a current system to one with the semantics I described before could be done fairly easily: if the pam.conf file was modified from what we shipped (if we can determine this) then just copy it to / usr/lib/security/local_pam_configuration, and drop our simplified pam_user_policy + pam_system_policy one in place. Bart
