On 10/08/08 00:18, Nicolas Williams wrote: > Or perhaps we decided that because there was no 'include' and no > pam_eval() that we could script the upgrade of /etc/pam.conf. > > But now that we have 'include' and (soon) pam_eval(), the situation gets > more complex.
I'm not convinced things are more complex: we no longer have to deal with modified local configurations, as those will live in files that we won't touch. The only complexity is that we need to not remove modules that we've deemed to be stable, but that doesn't mean we're bound to use them in the snippets we ship. >> If someone writes a snippet that uses only modules whose invocation is >> "stable" why wouldn't it be ok to expect that to be stable too? > > I'm concerned about painting ourselves into corners. Right, but committing on the presence and basic functionality of the main set of modules wouldn't commit us too much: yes, we'd need to keep shipping those modules even if we stop using them, but I don't see an alternative that permits anyone else to do something useful with PAM without having to ship a complete stack of modules by themselves, thereby replicating much of the work done on the system provided modules. For subsystems that are in flux we might specify that a snippet is the stable level, until the modules and semantics have settled down enough to allow the modules to become the stable interface. >> Upgrading from a current system to one with the semantics I described >> before could be done fairly easily: if the pam.conf file was modified >> from what we shipped (if we can determine this) then just copy it to / >> usr/lib/security/local_pam_configuration, and drop our simplified >> pam_user_policy + pam_system_policy one in place. > > Yes, that's fairly obvious and easy. I've suggested as much in a recent > e-mail about the status and future of the pam_user_policy case. I think > Jeff would object to that too since that steps all over his > configuration system, though, on the other hand, I think Jeff never > upgrades systems (but we'll see if that will be true w.r.t. whatever > OpenSolaris systems Jeff ends up running). If there's a workable alternative I'd be happy to hear about it. Bart
