Joep Vesseur schrieb: >> d) If I proposed a change for adding PASSREQROLES or similar to allow >> the option to be restricted to roles, would that fly at all? > > Not as such, I would think; that would mean we'd have to special-case > roles in su(1) while thay are just "other accounts" now. If we'd want to > special-case this, I think we should do so in an appropriate PAM > module that implements the roles-rules. >
FWIW, I suppose that it would be more reasonable to request that su not honor PASSREQ from /etc/default/login. In any case that setting is not listed in the su(1) man page, so arguably it is a bug, if it does this today. If a setting to enforce non-empty passwords is needed for su, it should IMHO be in /etc/default/su. As the usage discussed in this thread shows it is generally more reasonable to allow a change of account without password (because the initial login has already established identity), than it is to allow login without password, so both should not be the same setting. - J?rg -- Joerg Barfurth phone: +49 40 23646662 / x66662 Software Engineer mailto:joerg.barfurth at sun.com Desktop Technology http://reserv.ireland/twiki/bin/view/Argus/ Thin Client Software http://www.sun.com/software/sunray/ Sun Microsystems GmbH http://www.sun.com/software/javadesktopsystem/
