> > does really "alternate policy" need to be application specific?
> 
> not sure i understand what you're saying here...

you said that an application provides a default value
when pw_policy_load failed.  it made me think that, on the lack of
passwd.conf, each applications behave differently with their own
hardcoded defaults.  i'm not sure if it's a good thing.

> > IMO, hiding implementation details is a good enough reason to use malloc.
> 
> see attached diff -- would something like that be okay?

seems better to me.

YAMAMOTO Takashi