> Yes, the answers two the two questions can be related (e.g. "bob
> should be allowed access to the system from 10AM to 10PM every day,
> but allowed access to the tape drive only if he logs in after 5PM on
> weekends"), but it's _still_ not clear to me that there's a need to
> add the complexity necessary to solve them both at the same time.

>From my point of view the complexity is miniscule and the payoff large.  If
the callout program returns 0, then the login continues and the program may
or may not have performed certain actions.  If it returns non zero, the
authorization fails and the login terminates.  Since the default will be to
not have any callout program, that case is easy.  Making a shell script
that always returns 0 (ie. may change devices, but never judges the
validity of the user's requested access) is quite easy.

The payoff comes to those who use NetBSD for commercial services.  Those
are the folks that need to control access times or access services.  Most
folks like us have no need for this since we have personal machines, but
that hardly means there's little need for it.

I strongly disagree that there are two separate functions here.  And I
think it's a bad design decision to split the pieces apart.  I really liked
the original position you took that the problem solution should be simple
and highly general.  So let's not have two sets of hooks for a single
problem.  Authorization IS the task of granting privileges.  Changing modes
on devices is just as much "privilege granting" as allowing shell access.
If we're going to solve this, let's create a single interface that's 
simple (call a program and check the return value).  Then this very general
interface can be used for ftp, login or any other service.

Dave