On Fri, May 11, 2007 at 06:10:20PM +0400, Yar Tikhiy wrote: > On Tue, May 01, 2007 at 11:07:42PM +0400, Yar Tikhiy wrote: > > On Mon, Apr 30, 2007 at 02:46:18PM +0100, Ceri Davies wrote: > > > On Mon, Apr 30, 2007 at 05:42:28PM +0400, Yar Tikhiy wrote: > > > > On Mon, Apr 30, 2007 at 02:15:04PM +0100, Ceri Davies wrote: > > > > > > > > > > Well, we currently have an *NP* case as per above, but not a *LK* > > > > > case, > > > > > so I disagree somewhat. > > > > > > > > Why? Now *LOCKED* in FreeBSD is nearly the same as *LK* in Solaris > > > > with the only difference being that cron or at doesn't seem to care > > > > about it. And a single asterisk works for us as *NP* does in > > > > Solaris, although it isn't a prefix, it occupies the whole password > > > > field. Did I miss anything? > > > > > > Well, because of the cron thing :) > > > > If we want to propagate account locking semantics to cron and atrun, > > which is a good idea IMHO, we should avoid code duplication. I > > haven't yet found a suitable place in src/lib to put the check at, > > but we need to find one as more checks can be done there, e.g., > > that for expired account because expired accounts shouldn't run > > scheduled jobs either. Any ideas? Of course, the most obvious way > > is to add the respective function to libutil, but I'm still unsure > > if it's the best way. > > I think I've finally got the clue. It's -- surprise! -- PAM account > management via pam_unix(8). PAM-ifying cron and atrun can do the > job. Then they will also be able to respect nologin(5) etc via > pam.conf(5), and no more patches will be necessary.
Well that sounds like an excellent solution, thanks for volunteering,
Yar :)
Ceri
--
That must be wonderful! I don't understand it at all.
-- Moliere
pgpWKgc1y0MdT.pgp
Description: PGP signature
