On Mon, Oct 13, 2008 at 06:45:37PM +0200, Bart Blanquart wrote:
> On 10/10/08 22:53, Nicolas Williams wrote:
> > - The 'All' RBAC profile is changed to specify a default PAM
> > configuration for all users (pam_unix_only)
>
> As I mentioned before: "All" is not the right place to specify a
> default, but thinking about it: neither is "Basic Solaris User".
>
> We'd suddenly break logins on systems where not everyone is granted
> "Basic Solaris User" while we don't have to:
>
> we could make pam_user_policy try
> user_attr(4),
> prof_attr(4) for assigned profiles (and any nested profiles),
> policy.conf(4) for the default profiles,
> (as it does now), but then add a fall back to a policy.conf(4) parameter
> that specifies a default PAM configuration.
For now I'm changing it to:
user_attr(4)
prof_attr(4)
policy.conf(4) (see comment about not using _get_user_defs())
hard-code "/usr/lib/security/pam_unix_only"
I'll post a webrev later.
