On Wed, Oct 08, 2008 at 12:10:37AM +0200, Bart Blanquart wrote: > On 07 Oct 2008, at 23:46, Nicolas Williams wrote: > > That's what happened when pam_unix.so.1 was split: the old one was > > removed. > > I'm assuming that the previous pam_unix.so.1 wasn't deemed to be a > stable interface. So for the future we probably should make a > reasonable (sub)set of the pam modules be stable, so other snippets > can be written.
Or perhaps we decided that because there was no 'include' and no pam_eval() that we could script the upgrade of /etc/pam.conf. But now that we have 'include' and (soon) pam_eval(), the situation gets more complex. > If someone writes a snippet that uses only modules whose invocation is > "stable" why wouldn't it be ok to expect that to be stable too? I'm concerned about painting ourselves into corners. > Upgrading from a current system to one with the semantics I described > before could be done fairly easily: if the pam.conf file was modified > from what we shipped (if we can determine this) then just copy it to / > usr/lib/security/local_pam_configuration, and drop our simplified > pam_user_policy + pam_system_policy one in place. Yes, that's fairly obvious and easy. I've suggested as much in a recent e-mail about the status and future of the pam_user_policy case. I think Jeff would object to that too since that steps all over his configuration system, though, on the other hand, I think Jeff never upgrades systems (but we'll see if that will be true w.r.t. whatever OpenSolaris systems Jeff ends up running). Nico --
