Commitment: Per user Authentication Policy (2005/275)
Submitter: Nicolas Williams
Owner: Darren Moffat


SUMMARY
=======
No UIRB review required since changes are simple.
TCA for drop down list of defaults
TCR on warning if file doesn't exist
TCR unix policy as fallback if no user or system policy

Advice:
	Project team sync with Rampart
	PAC RBACTrainWreck

ISSUES
======
gw-1	Question to the members: do the SMC changes require a
	UIRB review?  LSARC and UIRB in the past have dealt with SMC.

* PSARC will take ownership of this issue.


gw-1a	Perhaps something richer than just a type in would be desirable.
	For example could there be a list constructed from
	/usr/lib/security as well as a type in?  Could there be some
	validation that a typed in PAM policy file does exist?

* No the p-team cannot give users a drop list because the directory where this 
list goes is full of garbage. As for checking to see if a policy exists, the 
project team can do that but it would be a local check but that's it. Some feel 
that there should be a URI here but until then, there isn't much that can be 
done except a local check.


gw-2	pam_user_policy, more for the case that makes this go live,
	just wondering should there be some backup default
	(viz: /usr/lib/security/unix) if policy not found.  This may
	be helpful in protecting against admin failures.  I agree that
	PAM_SYSTEM_ERR is the right thing to return for administrative
	errors it's returned for not finding a conf file.

* This is to make sure that there is a UNIX policy (this is only if you cannot 
find a default policy).


gw-3	user_policy:  probably a nit, some of the ``files'' need to
	consider things like unix_cred, unix_session, authtok*.

* Already discussed.


gw-4	Nit: pam_eval/pam_user_policy perhaps more info relative to
	stacking of modules as "optional" if in the middle of the stack
	would be helpful.

gw-5	Nit: I have a number of non-architectural updates for pam_user_policy.

gw-6	Rampart memorial question -- this time relates to SMC

* Please talk to the rampart team.


VOTE
====
yes - gary, ed, jim, bill, darren
no - 
abstain - 
NP - glenn, shudong


NEXT STEP
=========
* Case approved during today's meeting
* waiting need opinion
* Interface changes
   * TCA - file extension is acceptable and a drop down list of default policies 
would be nice based on that extenstion
==============================================================================