On Mon, Aug 21, 2000 at 11:40:54AM -0500, Steve Langasek wrote: > Nalin, > > I understand the reasoning behind these defaults, I just disagree that they're > necessary. :) I don't see how installing a PAM-based service on the system > and allowing it to use the configured defaults constitutes leaving a door open > if /etc/pam.d/other represents the system policy. What harm do you see coming > from setting up a distribution so that the account and password stacks, for > instance, are allowed to fall back to a system policy set in /etc/pam.d/other? The "other" configuration file can only rarely be correct for any given service -- consider whether or not it would suffice for ftp (you need pam_ftp to allow anonymous connections) or telnet access (you want pam_securetty in there somewhere) or su (you might want to be using pam_wheel, or maybe not). The existence of the service's configuration file tells me what its name is. Granted, there's a naming convention, but I don't know if a particular package follows it (kdm uses "kde"... ugh). It also makes me feel better about using it because I know that someone somewhere at least took the trouble to check that the one provided works, instead of blindly trusting the defaults given in the "other" configuration file, which may be inappropriate for that service. Then again, it may be a purely personal preference. Nalin
