solaris /dev/console patch

[Havoc Pennington]

Robert McQueen wrote:
> On a related note, I would appreciate a better mechanism for making a
> cleaner system-dependent implementation of this policy. RedHat uses
> pam_console, but Ubuntu has a pretty heavy patch to instead use their
> pam_foreground module & lock files to enforce that the at_console policy
> must also be the currently active tty, which seems to be closer to what
> this Solaris patch does. I discussed with them a more extensible means
> of adding policies rather than overloading/retasking the at_console like
> this, but they deemed the configuration parser too fragile to add a new
> option without quite a lot of work.
> 
> It seems to me like we should think about a better way to achieve this
> so that we could support more of these policies in a clean way, rather
> than ending up with either heavy distro or system-specific patching or a
> load of ifdef'd code.
>

Well, if the Ubuntu way still _means_ "at_console" in effect (and 
doesn't have some different semantic) then using the same at_console 
config option seems sensible.

I guess I don't know whether "at_active_console" would be different 
enough to merit a distinct config option.

I don't really get why it'd be hard to change the config parser, it's 
just a straightforward XML parser ...

Adding not-integrated-upstream config options is probably bad, though.

Anyway, I don't know about this patch and afaik it's never been 
submitted, so tough to comment too much ;-)

In general we've taken distribution-specific stuff, e.g. init scripts, 
into the upstream source - as long as it's appropriately sorted out in 
configure.in

Making this cleaner/less-ifdef'd would be nice, though it isn't 
transparently obvious to me how to do it. We might want to use 
all-runtime conditionals and not ifdef, is one approach.

Havoc