Date: Fri, 11 May 2007 16:25:00 +0100 From: Ceri Davies <ceri@submonkey.net> To: Yar Tikhiy <yar@comp.chem.msu.su> Cc: cvs-src@freebsd.org, src-committers@freebsd.org, cvs-all@freebsd.org Subject: Re: cvs commit: src/lib/libpam/modules/pam_unix pam_unix.8 pam_unix.c Message-ID: <20070511152500.GS301@submonkey.net> In-Reply-To: <20070511141019.GD21145@comp.chem.msu.su> References: <200704260639.l3Q6d1SH027885@repoman.freebsd.org> <20070426105458.GA98415@nevermind.kiev.ua> <20070426114638.GC77408@submonkey.net> <20070427160740.GF3991@comp.chem.msu.su> <20070430131503.GY77408@submonkey.net> <20070430134227.GG32601@comp.chem.msu.su> <20070430134617.GZ77408@submonkey.net> <20070501190742.GC51428@comp.chem.msu.su> <20070511141019.GD21145@comp.chem.msu.su>
next in thread | previous in thread | raw e-mail | index | archive | help
--dT+85zccSFkyJC53
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Fri, May 11, 2007 at 06:10:20PM +0400, Yar Tikhiy wrote:
> On Tue, May 01, 2007 at 11:07:42PM +0400, Yar Tikhiy wrote:
> > On Mon, Apr 30, 2007 at 02:46:18PM +0100, Ceri Davies wrote:
> > > On Mon, Apr 30, 2007 at 05:42:28PM +0400, Yar Tikhiy wrote:
> > > > On Mon, Apr 30, 2007 at 02:15:04PM +0100, Ceri Davies wrote:
> > > > >=20
> > > > > Well, we currently have an *NP* case as per above, but not a *LK*=
case,
> > > > > so I disagree somewhat.
> > > >=20
> > > > Why? Now *LOCKED* in FreeBSD is nearly the same as *LK* in Solaris
> > > > with the only difference being that cron or at doesn't seem to care
> > > > about it. And a single asterisk works for us as *NP* does in
> > > > Solaris, although it isn't a prefix, it occupies the whole password
> > > > field. Did I miss anything?
> > >=20
> > > Well, because of the cron thing :)
> >=20
> > If we want to propagate account locking semantics to cron and atrun,
> > which is a good idea IMHO, we should avoid code duplication. I
> > haven't yet found a suitable place in src/lib to put the check at,
> > but we need to find one as more checks can be done there, e.g.,
> > that for expired account because expired accounts shouldn't run
> > scheduled jobs either. Any ideas? Of course, the most obvious way
> > is to add the respective function to libutil, but I'm still unsure
> > if it's the best way.
>=20
> I think I've finally got the clue. It's -- surprise! -- PAM account
> management via pam_unix(8). PAM-ifying cron and atrun can do the
> job. Then they will also be able to respect nologin(5) etc via
> pam.conf(5), and no more patches will be necessary.
Well that sounds like an excellent solution, thanks for volunteering,
Yar :)
Ceri
--=20
That must be wonderful! I don't understand it at all.
-- Moliere
--dT+85zccSFkyJC53
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (FreeBSD)
iD8DBQFGRIrMocfcwTS3JF8RAliaAJ9SfzZ/X53g3VAHZySdOJXPcSz5PwCgi4Jl
Ig/d1sysNicYa6zbO2nrhj0=
=YLl+
-----END PGP SIGNATURE-----
--dT+85zccSFkyJC53--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070511152500.GS301>