Improving pam.conf(5) manual page

[Valeriu Mutu]

Hi,

After experimenting with PAM lately I found the manual page pam.conf(5) somewhat confusing regarding the definition of the "sufficient" control flag:

sufficient = If this module succeeds, the chain is broken and the result is success.  If it fails, the rest of the chain still runs, but the final result will be failure unless a later module succeeds.

Nevertheless the chain isn't broken when there are modules with a "required" flag. Here is an example:
 auth            sufficient      pam_unix.so             debug no_warn try_first_pass
 auth            required        pam_deny.so             debug
Hence, pam_deny will be invoked even if pam_unix succeeds.

If the above is changed to:
 auth            sufficient      pam_unix.so             debug no_warn try_first_pass
 auth            sufficient      pam_deny.so             debug
then pam_deny isn't invoked as it has the "sufficient" flag now.

I checked the manual page for pam.conf(5) in FreeBSD 8-current and it contains the same definition of "sufficient" as shown above. I checked it here:
http://www.freebsd.org/cgi/man.cgi?query=pam.conf&apropos=0&sektion=0&manpath=FreeBSD+8-current&format=html

Hence, it would be helpful if the definition be changed to:

sufficient = If this module succeeds and the following modules are sufficient, the chain is broken and the result is success. If it fails, the rest of the chain still runs, but the final result will be failure unless a later module succeeds.

Valeriu

-- 
Valeriu Mutu
Penn Center for Bioinformatics
215-573-8119