cvs commit: src/lib/libpam/modules/pam_unix pam_unix.8
pam_unix.c
Yar Tikhiy
yar at comp.chem.msu.su
Fri May 11 14:10:29 UTC 2007
On Tue, May 01, 2007 at 11:07:42PM +0400, Yar Tikhiy wrote:
> On Mon, Apr 30, 2007 at 02:46:18PM +0100, Ceri Davies wrote:
> > On Mon, Apr 30, 2007 at 05:42:28PM +0400, Yar Tikhiy wrote:
> > > On Mon, Apr 30, 2007 at 02:15:04PM +0100, Ceri Davies wrote:
> > > >
> > > > Well, we currently have an *NP* case as per above, but not a *LK* case,
> > > > so I disagree somewhat.
> > >
> > > Why? Now *LOCKED* in FreeBSD is nearly the same as *LK* in Solaris
> > > with the only difference being that cron or at doesn't seem to care
> > > about it. And a single asterisk works for us as *NP* does in
> > > Solaris, although it isn't a prefix, it occupies the whole password
> > > field. Did I miss anything?
> >
> > Well, because of the cron thing :)
>
> If we want to propagate account locking semantics to cron and atrun,
> which is a good idea IMHO, we should avoid code duplication. I
> haven't yet found a suitable place in src/lib to put the check at,
> but we need to find one as more checks can be done there, e.g.,
> that for expired account because expired accounts shouldn't run
> scheduled jobs either. Any ideas? Of course, the most obvious way
> is to add the respective function to libutil, but I'm still unsure
> if it's the best way.
I think I've finally got the clue. It's -- surprise! -- PAM account
management via pam_unix(8). PAM-ifying cron and atrun can do the
job. Then they will also be able to respect nologin(5) etc via
pam.conf(5), and no more patches will be necessary.
--
Yar
More information about the cvs-src
mailing list