On Thu, Nov 15, 2012 at 03:54:27AM +0400, Dmitry V. Levin wrote:
> Well, could you then explain why do you keep that
> 7 year old vlock-1.3-morepam.patch from Nalin in Fedora vlock package?
...to make it compatible with many others PAM applications. It's
common practice to use pam_authenticate() + pam_acct_mgmt() +
pam_setcred(). I don't think it's good idea to make any exceptions
from this practice.
You need pam_acct_mgmt() to check account validity, expiration etc.
> It does something unnatural for vlock, e.g. pam_acct_mgmt and even
> pam_setcred! At the same time, the only module in its account stack is
> pam_permit.so. Weird.
Well, it's only config file, $EDITOR /etc/pam.d/vlock is enough to
make your configuration more paranoid. It's definitely better to
support all the features by binary and define policies in config
files.
Karel
--
Karel Zak <kzak@xxxxxxxxxx>
http://karelzak.blogspot.com
--
To unsubscribe from this list: send the line "unsubscribe util-linux" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
