On 10/08/08 17:31, Nicolas Williams wrote: > On Wed, Oct 08, 2008 at 02:13:58PM +0200, Bart Blanquart wrote: >> On 10/08/08 00:13, Nicolas Williams wrote: >>> On Wed, Oct 08, 2008 at 12:08:38AM +0200, Bart Blanquart wrote: >>>>> Because you'd not ever have to change any PAM config to set that. >>>> I think I'm missing something here: "take a module argument naming >>>> the suffix of a policy.conf variable" means that the module gets an >>>> argument, which is specified in a pam.conf snippet somewhere. >>> That suffix would never, ever have to change. >> So what's the difference with pointing to a profile name that would >> never have to change, which removes one level of indirection? > > Oh, perhaps I missed that the profile name was meant to never change.
For the ones we define in our snippets: the names don't change. We ship the snippets pointing to "Snippet-name Login Authorization" profiles, which by default contain the local_login_auth (and friends) keywords specifying the solaris.login authorizations. We commit to not changing those profiles if they've been modified locally. So, the pam_authorized module itself would take two options: "policy=" and "auths=", the first pointing to a profile, the second containing a list of authorizatons. In (Open)Solaris shipped snippets only the first keyword is used; the other is available for use in custom snippets. Sounds sensible? Bart
