From owner-cvs-all@FreeBSD.ORG Wed May 16 15:48:15 2007 Return-Path: X-Original-To: cvs-all@freebsd.org Delivered-To: cvs-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 13C7116A406; Wed, 16 May 2007 15:48:15 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from redbull.bpaserver.net (redbullneu.bpaserver.net [213.198.78.217]) by mx1.freebsd.org (Postfix) with ESMTP id 9370C13C48C; Wed, 16 May 2007 15:48:14 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from outgoing.leidinger.net (p54A5FC6A.dip.t-dialin.net [84.165.252.106]) by redbull.bpaserver.net (Postfix) with ESMTP id 4D6992E12E; Wed, 16 May 2007 17:48:06 +0200 (CEST) Received: from deskjail (deskjail.Leidinger.net [192.168.1.109]) by outgoing.leidinger.net (Postfix) with ESMTP id 280EA5B48A3; Wed, 16 May 2007 17:47:50 +0200 (CEST) Date: Wed, 16 May 2007 17:48:04 +0200 From: Alexander Leidinger To: Ceri Davies Message-ID: <20070516174804.2c9c5500@deskjail> In-Reply-To: <20070511152500.GS301@submonkey.net> References: <200704260639.l3Q6d1SH027885@repoman.freebsd.org> <20070426105458.GA98415@nevermind.kiev.ua> <20070426114638.GC77408@submonkey.net> <20070427160740.GF3991@comp.chem.msu.su> <20070430131503.GY77408@submonkey.net> <20070430134227.GG32601@comp.chem.msu.su> <20070430134617.GZ77408@submonkey.net> <20070501190742.GC51428@comp.chem.msu.su> <20070511141019.GD21145@comp.chem.msu.su> <20070511152500.GS301@submonkey.net> X-Mailer: Claws Mail 2.9.1 (GTK+ 2.10.12; i386-portbld-freebsd7.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BPAnet-MailScanner-Information: Please contact the ISP for more information X-BPAnet-MailScanner: Found to be clean X-BPAnet-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-15.364, required 8, autolearn=not spam, BAYES_00 -15.00, DK_POLICY_SIGNSOME 0.00, FORGED_RCVD_HELO 0.14, SMILEY -0.50) X-BPAnet-MailScanner-From: alexander@leidinger.net X-Spam-Status: No Cc: Yar Tikhiy , src-committers@freebsd.org, cvs-all@freebsd.org, cvs-src@freebsd.org Subject: Re: cvs commit: src/lib/libpam/modules/pam_unix pam_unix.8 pam_unix.c X-BeenThere: cvs-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: CVS commit messages for the entire tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 May 2007 15:48:15 -0000 Quoting Ceri Davies (Fri, 11 May 2007 16:25:00 +0100): > On Fri, May 11, 2007 at 06:10:20PM +0400, Yar Tikhiy wrote: > > On Tue, May 01, 2007 at 11:07:42PM +0400, Yar Tikhiy wrote: > > > On Mon, Apr 30, 2007 at 02:46:18PM +0100, Ceri Davies wrote: > > > > On Mon, Apr 30, 2007 at 05:42:28PM +0400, Yar Tikhiy wrote: > > > > > On Mon, Apr 30, 2007 at 02:15:04PM +0100, Ceri Davies wrote: > > > > > > > > > > > > Well, we currently have an *NP* case as per above, but not a *LK* case, > > > > > > so I disagree somewhat. > > > > > > > > > > Why? Now *LOCKED* in FreeBSD is nearly the same as *LK* in Solaris > > > > > with the only difference being that cron or at doesn't seem to care > > > > > about it. And a single asterisk works for us as *NP* does in > > > > > Solaris, although it isn't a prefix, it occupies the whole password > > > > > field. Did I miss anything? > > > > > > > > Well, because of the cron thing :) > > > > > > If we want to propagate account locking semantics to cron and atrun, > > > which is a good idea IMHO, we should avoid code duplication. I > > > haven't yet found a suitable place in src/lib to put the check at, > > > but we need to find one as more checks can be done there, e.g., > > > that for expired account because expired accounts shouldn't run > > > scheduled jobs either. Any ideas? Of course, the most obvious way > > > is to add the respective function to libutil, but I'm still unsure > > > if it's the best way. > > > > I think I've finally got the clue. It's -- surprise! -- PAM account > > management via pam_unix(8). PAM-ifying cron and atrun can do the > > job. Then they will also be able to respect nologin(5) etc via > > pam.conf(5), and no more patches will be necessary. > > Well that sounds like an excellent solution, thanks for volunteering, > Yar :) We can also put this up on the ideas page? Anyone with enough insight into this volunteering to write a sensible entry for the ideas list? Plain text would be ok in case you don't want to handle the markup. Bye, Alexander. -- I try to keep an open mind, but not so open that my brains fall out. -- Judge Harold T. Stone http://www.Leidinger.net Alexander @ Leidinger.net: PGP ID = B0063FE7 http://www.FreeBSD.org netchild @ FreeBSD.org : PGP ID = 72077137