While writing the PAM documentation for Gentoo developers (basically a reference on how to handle PAM-compatible software in the tree), I ended up thinking about a way to make simpler handling non-basic configuration for PAM services. The main problem is that some modules, like pam_limits, or pam_listfiles, aren’t present in FreeBSD modules, sometimes have slightly modified syntax and different names, sometimes they are missing entirely.
My idea is to write some meta-syntax for comments, something like
#%EPAM-If-Has:sys-libs/pam%#auth required pam_listfiles.so $misc_params #%EPAM-If-Has:sys-freebsd/freebsd-pam-modules%#account required pam_ftpusers.so $misc_params
At that point, in pkg_preinst, the ebuild would call an eclass function that could resolve the the EPAM directives by either removing the comment, or by replacing it with a “Only for $foo package” comment for the users.
It might require some work, but should make it way easier to tweak configuration files, and will make it way easier the transitions in the future; think if we could have done something like this in the past:
#%EPAM-If-Has:=sys-libs/pam-0.78%#auth include system-auth
Would have made the pam_stack to include directive migration way easier.
This of course is even more time I need to pour into PAM, even though it will most likely mean less time to waste in the future if something changes. Too bad I don’t have a job paying me for doing this stuff, at least I could find an excuse with myself to work on such an obnoxious area..