On Tue, Jan 09, 2018 at 04:30:56PM +0100, Pavel Březina wrote:
On 01/05/2018 05:21 PM, Zbigniew Jędrzejewski-Szmek wrote:
>On Fri, Jan 05, 2018 at 02:50:45PM +0100, Jan Kurik wrote:
>>= System Wide Change: Make authselect default tool instead of authconfig =
>>https://fedoraproject.org/wiki/Changes/AuthselectAsDefault
>
>Does this change do anything to reduce the number of files in /etc
>that do not contain local configuration? PAM is currently one of the
>worst offenders, with /etc/pam.d full of "configuration" files.
No. The files must stay since it would require changes in pam itself
and that is out of scope of authselect. Each file corresponds to
individual pam service and is read when pam_start(service_name, ...)
is called.
>Elsewhere in the thread /usr/share/authselect/custom is metioned as
>directory for admin config. That's OK-ish, as long as you also allow
>a directory in /etc for the same purpose. /usr must be allowed to be
>immutable.
Would /usr/local be OK as well?
/usr/local is special. Packages are not allowed to put stuff there [1],
and it is instead an alternate install location that is under the
control of the administrator. It seems reasonable to support
authselect configuration located there.
/usr/share/authselect and /etc/authselect are the two main locations
that should be supported, and /usr/local/share/autselect would be an
additional option.
[1]
https://fedoraproject.org/wiki/Packaging:Guidelines#No_Files_or_Directori...
Zbyszek