cvs commit: src/lib/libpam/modules/pam_unix pam_unix.8
yar at comp.chem.msu.su
Fri May 11 14:10:29 UTC 2007
On Tue, May 01, 2007 at 11:07:42PM +0400, Yar Tikhiy wrote:
> On Mon, Apr 30, 2007 at 02:46:18PM +0100, Ceri Davies wrote:
> > On Mon, Apr 30, 2007 at 05:42:28PM +0400, Yar Tikhiy wrote:
> > > On Mon, Apr 30, 2007 at 02:15:04PM +0100, Ceri Davies wrote:
> > > >
> > > > Well, we currently have an *NP* case as per above, but not a *LK* case,
> > > > so I disagree somewhat.
> > >
> > > Why? Now *LOCKED* in FreeBSD is nearly the same as *LK* in Solaris
> > > with the only difference being that cron or at doesn't seem to care
> > > about it. And a single asterisk works for us as *NP* does in
> > > Solaris, although it isn't a prefix, it occupies the whole password
> > > field. Did I miss anything?
> > Well, because of the cron thing :)
> If we want to propagate account locking semantics to cron and atrun,
> which is a good idea IMHO, we should avoid code duplication. I
> haven't yet found a suitable place in src/lib to put the check at,
> but we need to find one as more checks can be done there, e.g.,
> that for expired account because expired accounts shouldn't run
> scheduled jobs either. Any ideas? Of course, the most obvious way
> is to add the respective function to libutil, but I'm still unsure
> if it's the best way.
I think I've finally got the clue. It's -- surprise! -- PAM account
management via pam_unix(8). PAM-ifying cron and atrun can do the
job. Then they will also be able to respect nologin(5) etc via
pam.conf(5), and no more patches will be necessary.
More information about the cvs-src