On Thu, Aug 13, 2009 at 05:14:01PM +0100, Darren J Moffat wrote: > >But, if it is a requirement that Solaris by default does not touch the > >user's $HOME directory before authentication, then the Face Browser > >would need to be turned off by default. Do we want to be different > >than other distros in this regard because of this kerberos requirement? > > That is good question. > The security part of me says off. > The on Sun network part of me says off > (NFS kerberos home dir/privacy/Huge Sun Ray deployment) > The "keeping up with the jones" part of me says turn it on > The MacOS X user in me says turn it on. > > So that's a 50/50 split vote from me :-)
The *feature* (face browser) should be on in personal system installs. That would mean: whenever you use the interactive installed. And it should be OFF if you use AI. I say this even though I very much dislike the face browser idea. As for $HOME: login daemons _must_ keep their grubby paws off $HOME before user login is complete. If images and what not are kept in $HOME, then either move them out or cache them elsewhere. That, incidentally also solves the "local user" problem: let the user specify which accounts are "local" or, rather, "should appear in the face browser". By keeping track of that separately you avoid having to play heuristic games with /etc/passwd, and you get a chance to save a copy of users' face images outside their $HOMEs. Nico --
