Previous
Next
Contents
4.2 Directory based configuration
More flexible than the single configuration file, as of version 0.56,
it is possible to configure libpam
via the contents of the
/etc/pam.d/
directory. In this case the directory is filled
with files each of which has a filename equal to a service-name (in
lower-case): it is the personal configuration file for the named
service. The existence of an /etc/pam.d/
directory means
libpam
will completely ignore the contents of
/etc/pam.conf
.
The syntax of this file is similar to that of the
/etc/pam.conf
file and is made up of lines of the following
form:
module-type control-flag module-path arguments
The only difference being that the service-name
is not
present. The service name is known for the file to have been read by
libpam
.
This method of configuration has a number of advantages over the
single file approach. We list them here to assist the reader in
deciding which scheme to adopt:
- A lower chance of misconfiguring an application. There is one
less field to mis-type when editing the configuration files by hand.
- Easier to maintain. One application may be reconfigured without
risk of interfering with other applications on the system.
- It is possible to symbolically link different services
configuration files to a single file. This makes it easier to keep the
system policy for access consistent across different applications.
(It should be noted, to conserve space, it is equally possible to
hard link a number of configuration files. However, care
should be taken when administering this arrangement as editing a hard
linked file is likely to break the link.)
- A potential for quicker configuration file parsing. Only the
relevant entries are parsed when a service gets bound to its modules.
- It is possible to limit read access to individual Linux-PAM
configuration files using the file protections of the filesystem.
Previous
Next
Contents