> >> The solaris.login authorizations are granted to all accounts via > >> "Basic Solaris User", so the behaviour of the system remains the same > >> in default configurations. > > > > Since we do not want customers modifying Sun delivered Rights > > Profiles, IMO it would be better to add a new Rights Profile > > and add that to PROFS_GRANTED, or to add solaris.login.* to > > AUTHS_GRANTED. > > > > Customers that want to deviate from the default profile can define their > own "Site Solaris User" and assign that in PROFS_GRANTED. I don't see > the value in adding another default profile as "Basic Solaris User" is > just that.
I realize that. And they may not want to do so. It seems to me that it would be just as easy for this project to add the solaris.login.* to policy.conf AUTHS_GRANTED= than to Basic Solaris User and then the admin could just change policy.conf rather than have to create a new profile and update pam.conf if they wanted no remote login for example -- this the same strategy as for disabling use of cdrw. > >> Standards, Environments, and Macros pam_auths(5) Looking at the man page again, I missed a few things the first time. As the man page is also for a programming interface for callers of pam as well as an administrative interface for the parameters to the module, the pam items need to be discussed. Additionally, I presume PAM_USER is the user whose authorizations are checked. I didn't see that explicitly mentioned. Specifically I presume ruid, PAM_RUSER and PAM_AUSER have not part in the policy. Gary..