On Fri, 2003-12-05 at 22:12, Rick Stevens wrote:
> nosp wrote:
> >>[FC1's PAM is configured to cache users' access to root by default]
> > [why?]
> I think it was something called "laziness".
grep pam_timestamp /etc/pam.d/* | wc
73 219 5028
I'd hire the lazy bastard :).
> For my money, it should be a configurable thing:
It is...
>
> 1) Only grant root privileges for _this_ job
Possible
> 2) Only grant root privileges for "n" minutes on THIS virtual
> terminal
Dunno -- maybe see the pam_group module at
http://www.us.kernel.org/pub/linux/libs/pam/
> 3) Only grant root privileges for "n" minutes for this parent
> process (e.g. shell session)
Dunno.
> with the default being 1, above.
You can probably get what you want by removing the pam_timestamp line
from every file in /etc/pam.d .
> That's my opinion and I'm sticking with it! ;-)
As long as both opinions can be configured I'm happy. As to my opinion
on the default, I'll stick with my agnostic and hoping-to-be-enlightened
opinion too :).
PS. I suppose we would get some general PAM answers on the pam mailing
list -- https://listman.redhat.com/mailman/listinfo/pam-list -- but I
think this question -- "Why is the FC1 default PAM configuration set to
use pam_timestamp" still is on-topic.
