Linux-PAM 0.78 and later contains include directive which obsoletes using the pam_stack module. This module is rather a hack as it requires access to pam library internals for its operation and will never be accepted to upstream. The include directive implementation is much cleaner although its semantics are subtly different. The include works as a real include so the base file and the included one are processed as if they were first flattened into one file. The pam_stack module however works as if the pam was recursively called again with the stacked service. Arguably the pam_stack model is little bit more "user friendly" as "sufficient" entries in the stacked service don't bypass modules in the primary service which came after the pam_stack module. This means that all existing configuration files for services cannot be blindly modified but they have to be carefully examinated and modified with the above in mind. The pam_stack module probably won't be removed too soon because it would break upgrades with modified pam configs however I'll probably add some deprecation message in the system log when it will be used. Also big warning for people which modify the /etc/pam.d/system-auth file by hand - never remove the "auth required pam_deny.so" as it will make some pamified services open to anyone (depending on preceding modules in the system-auth and the pam config which includes it). -- Tomas Mraz <tmraz@xxxxxxxxxx> -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
