[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: /etc/pam.d/files

On Mon, Aug 21, 2000 at 11:40:54AM -0500, Steve Langasek wrote:
> Nalin,
> I understand the reasoning behind these defaults, I just disagree that they're
> necessary. :)  I don't see how installing a PAM-based service on the system
> and allowing it to use the configured defaults constitutes leaving a door open
> if /etc/pam.d/other represents the system policy.  What harm do you see coming
> from setting up a distribution so that the account and password stacks, for
> instance, are allowed to fall back to a system policy set in /etc/pam.d/other?

The "other" configuration file can only rarely be correct for any
given service -- consider whether or not it would suffice for ftp
(you need pam_ftp to allow anonymous connections) or telnet access
(you want pam_securetty in there somewhere) or su (you might want
to be using pam_wheel, or maybe not).

The existence of the service's configuration file tells me what its
name is.  Granted, there's a naming convention, but I don't know if
a particular package follows it (kdm uses "kde"... ugh).  It also
makes me feel better about using it because I know that someone
somewhere at least took the trouble to check that the one provided
works, instead of blindly trusting the defaults given in the "other"
configuration file, which may be inappropriate for that service.

Then again, it may be a purely personal preference.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []