On Mon, Jun 09, 2008 at 02:41:21PM +0200, Joerg Barfurth wrote:
> Joep Vesseur schrieb:
>
>>> d) If I proposed a change for adding PASSREQROLES or similar to allow
>>> the option to be restricted to roles, would that fly at all?
>>
>> Not as such, I would think; that would mean we'd have to special-case
>> roles in su(1) while thay are just "other accounts" now. If we'd want to
>> special-case this, I think we should do so in an appropriate PAM
>> module that implements the roles-rules.
>>
>
> FWIW, I suppose that it would be more reasonable to request that su not
> honor PASSREQ from /etc/default/login. In any case that setting is not
> listed in the su(1) man page, so arguably it is a bug, if it does this
> today.
>
> If a setting to enforce non-empty passwords is needed for su, it should
> IMHO be in /etc/default/su. As the usage discussed in this thread shows it
> is generally more reasonable to allow a change of account without password
> (because the initial login has already established identity), than it is to
> allow login without password, so both should not be the same setting.
That would be OK with me.
Ceri
--
That must be wonderful! I don't understand it at all.
-- Moliere
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL:
<http://mail.opensolaris.org/pipermail/security-discuss/attachments/20080611/7afc7dda/attachment.bin>
