Date: Fri, 11 May 2007 18:10:20 +0400 From: Yar Tikhiy <yar@comp.chem.msu.su> To: Ceri Davies <ceri@submonkey.net> Cc: cvs-src@freebsd.org, Alexandr Kovalenko <never@nevermind.kiev.ua>, src-committers@freebsd.org, cvs-all@freebsd.org Subject: Re: cvs commit: src/lib/libpam/modules/pam_unix pam_unix.8 pam_unix.c Message-ID: <20070511141019.GD21145@comp.chem.msu.su> In-Reply-To: <20070501190742.GC51428@comp.chem.msu.su> References: <200704260639.l3Q6d1SH027885@repoman.freebsd.org> <20070426105458.GA98415@nevermind.kiev.ua> <20070426114638.GC77408@submonkey.net> <20070427160740.GF3991@comp.chem.msu.su> <20070430131503.GY77408@submonkey.net> <20070430134227.GG32601@comp.chem.msu.su> <20070430134617.GZ77408@submonkey.net> <20070501190742.GC51428@comp.chem.msu.su>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, May 01, 2007 at 11:07:42PM +0400, Yar Tikhiy wrote: > On Mon, Apr 30, 2007 at 02:46:18PM +0100, Ceri Davies wrote: > > On Mon, Apr 30, 2007 at 05:42:28PM +0400, Yar Tikhiy wrote: > > > On Mon, Apr 30, 2007 at 02:15:04PM +0100, Ceri Davies wrote: > > > > > > > > Well, we currently have an *NP* case as per above, but not a *LK* case, > > > > so I disagree somewhat. > > > > > > Why? Now *LOCKED* in FreeBSD is nearly the same as *LK* in Solaris > > > with the only difference being that cron or at doesn't seem to care > > > about it. And a single asterisk works for us as *NP* does in > > > Solaris, although it isn't a prefix, it occupies the whole password > > > field. Did I miss anything? > > > > Well, because of the cron thing :) > > If we want to propagate account locking semantics to cron and atrun, > which is a good idea IMHO, we should avoid code duplication. I > haven't yet found a suitable place in src/lib to put the check at, > but we need to find one as more checks can be done there, e.g., > that for expired account because expired accounts shouldn't run > scheduled jobs either. Any ideas? Of course, the most obvious way > is to add the respective function to libutil, but I'm still unsure > if it's the best way. I think I've finally got the clue. It's -- surprise! -- PAM account management via pam_unix(8). PAM-ifying cron and atrun can do the job. Then they will also be able to respect nologin(5) etc via pam.conf(5), and no more patches will be necessary. -- Yar
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070511141019.GD21145>