Red Hat Bugzilla – Bug 1257951
[RFE]enhancement req: Add a support for local modification of pam.d/ files that won't be destroyed by authconfig
Last modified: 2015-08-31 10:59:45 EDT
I'd like to raise this enhancement request that redhat's PAM implementation supports a local tweaks that won't get overridden by authconfig.
Some chages and tweaks can't be done using pam-config or authconfig - for example proper setting of umask per groups/users eg:
session [default=1 success=ignore] pam_succeed_if.so quiet user ingroup secret-agents
session optional pam_umask.so umask=0077
session [default=1 success=ignore] pam_succeed_if.so quiet uid eq 1005
session optional pam_umask.so umask=0002
^^ this sets an umask 0077 for members of group "secret-agents" and umask 0002 for user with uid 1005 ..
I propose supporting pam.d/system-auth-local, that will be included (sourced) to system-auth (the most important pam.d/ login-related file sourced to the very most of other modules) and that will be by default empty and not overridden by authconfig/pam-config ...
Considering to support more files with suffix -local seems reasonable to me.
Authconfig supports different way of local modification (by using symlinks) and I do not think we want to complicate the pam configuration files even more.
(In reply to Tomas Mraz from comment #2)
> Authconfig supports different way of local modification (by using symlinks)
> and I do not think we want to complicate the pam configuration files even
Can you elaborate that idea about symlinks and authconfig not overriding whatever your setup is ?
I don't see anything complicated on file pam.d/auth-config-local with just a commented out header stating out: here you can put your additional directives my dear sysadmin ..
See the system-auth-ac(5) manual page for details.