On Fri, 18 Aug 2000, Nalin Dahyabhai wrote: > On Fri, Aug 18, 2000 at 10:31:31AM -0500, Steve Langasek wrote: > > I personally think it would be good if distributions took this route. > > RedHat's default for /etc/pam.d/other right now is to use pam_deny for > > everything, but this really seems unnecessary to me when the config file could > > be put to much better use. > You want an otherwise-unconfigured service to default to deny, so that > you know you haven't left any doors open that you didn't mean to. Nalin, I understand the reasoning behind these defaults, I just disagree that they're necessary. :) I don't see how installing a PAM-based service on the system and allowing it to use the configured defaults constitutes leaving a door open if /etc/pam.d/other represents the system policy. What harm do you see coming from setting up a distribution so that the account and password stacks, for instance, are allowed to fall back to a system policy set in /etc/pam.d/other? Steve Langasek postmodern programmer
