> >> The solaris.login authorizations are granted to all accounts via
> >> "Basic Solaris User", so the behaviour of the system remains the same
> >> in default configurations.
> >
> > Since we do not want customers modifying Sun delivered Rights
> > Profiles, IMO it would be better to add a new Rights Profile
> > and add that to PROFS_GRANTED, or to add solaris.login.* to
> > AUTHS_GRANTED.
> >
>
> Customers that want to deviate from the default profile can define their
> own "Site Solaris User" and assign that in PROFS_GRANTED. I don't see
> the value in adding another default profile as "Basic Solaris User" is
> just that.
I realize that. And they may not want to do so. It seems to me
that it would be just as easy for this project to add the
solaris.login.* to policy.conf AUTHS_GRANTED= than to Basic Solaris
User and then the admin could just change policy.conf rather than
have to create a new profile and update pam.conf if they wanted
no remote login for example -- this the same strategy as for
disabling use of cdrw.
> >> Standards, Environments, and Macros pam_auths(5)
Looking at the man page again, I missed a few things the first
time. As the man page is also for a programming interface for
callers of pam as well as an administrative interface for the
parameters to the module, the pam items need to be discussed.
Additionally, I presume PAM_USER is the user whose authorizations
are checked. I didn't see that explicitly mentioned. Specifically
I presume ruid, PAM_RUSER and PAM_AUSER have not part in the policy.
Gary..
