pam_access and a .d directory

seth vidal skvidal at linux.duke.edu
Thu Sep 7 15:22:50 UTC 2006


On Thu, 2006-09-07 at 10:58 +0200, Tomas Mraz wrote:
> On Wed, 2006-09-06 at 20:26 +0200, Thorsten Kukuk wrote:
> > On Wed, Sep 06, seth vidal wrote:
> > 
> > > Hi,
> > >  On our systems we use pam_access quite extensively. We have a base-set
> > > of rules we apply to every server and then some servers require special
> > > rules. We'd love to be able to use something like:
> > > 
> > > /etc/security/access.conf <-- default rules
> > > /etc/security/access.conf.d/*.conf <-- additional rules concatenated
> > > onto the end of the whole set.
> > > 
> > > Just like with all the other .d directory changes it would allow us to
> > > drop a file onto the system to let that work w/o having to modify the
> > > access.conf itself.
> > 
> > The problem is: the order is important, the first matched rule 
> > found will be used. with a .d directory, you don't have this
> > control anymore and you can get bad side effects, depending on at
> > which time which files are created.
> 
> glob() returns found matches in sorted order, although LC_COLLATE should
> be set to "C" temporarily, so the sorting order doesn't depend on
> locale.

I was actually thinking of just stealing the code to do this from
ldconfig, if it is something  steal-able. :)

-sv





More information about the Pam-list mailing list