On 10/08/08 14:18, Darren J Moffat wrote: > Sure it might not have much in it and we may not need to touch it on > upgrade/patch if the end admin also hasn't touched. However it is still > an editable file. > > So trying to pretend that somehow we get to /etc/pam.conf not being a > file the end admin can edit is IMO silly.
When a system is upgraded pam.conf no longer contains much useful besides some modules that include pam snippets. One such snippet might be the local policy (i.e. pam.conf as it was before the upgrade, now moved to /usr/lib/security/local_policy or so). If an admin then comes and changes pam.conf we just would not replace pam.conf on a future upgrade; we could drop in a pam.conf.new or so. Moreover, in normal circumstances we would have no need to modify pam.conf itself: we could ship a "Solaris-Default"/"Unix"/"Kerberos"/... series of snippets and update those instead. Selecting which snippet to use (to use one of the standard ones) can be done by specifying a PAM_POLICY= in policy.conf (or host_attr(4)), so that too can be done without editing pam.conf. So, no, pam.conf suddenly doesn't become uneditable -- but the need _for us_ to edit it pretty much goes away, and an admin can choose to also go down that path by using the toggles (/usr/lib/security/local_policy and/or PAM_POLICY= combined with a custom other file). Bart
