diff options
| author | Thorsten Kukuk <kukuk@thkukuk.de> | 2007-06-22 09:49:03 +0000 |
|---|---|---|
| committer | Thorsten Kukuk <kukuk@thkukuk.de> | 2007-06-22 09:49:03 +0000 |
| commit | 4b951f0e7dea276cafa87cb344847ff1ae44fb9c (patch) | |
| tree | ab80b95332d647d6d89f64a5598677e87fedf04e /modules/pam_access/access.conf | |
| parent | 2cffe6c172c372ac6ddf4c948c92373f69ed7def (diff) | |
| download | pam-4b951f0e7dea276cafa87cb344847ff1ae44fb9c.tar.gz pam-4b951f0e7dea276cafa87cb344847ff1ae44fb9c.tar.bz2 pam-4b951f0e7dea276cafa87cb344847ff1ae44fb9c.zip | |
Relevant BUGIDs: 411390
Purpose of commit: new feature
Commit summary:
---------------
2007-06-22 Thorsten Kukuk <kukuk@thkukuk.de>
* modules/pam_access/pam_access.c: Add new syntax for groups
in access.conf to differentiate group names from account names.
Based on patch from Julien Lecomte <julien@famille-lecomte.net>,
solves feature request [#411390].
* modules/pam_access/access.conf: Add example for new group
syntax.
* modules/pam_access/access.conf.5.xml: Document new syntax.
Diffstat (limited to 'modules/pam_access/access.conf')
| -rw-r--r-- | modules/pam_access/access.conf | 28 |
1 files changed, 18 insertions, 10 deletions
diff --git a/modules/pam_access/access.conf b/modules/pam_access/access.conf index b22f1d43..74c5fbe8 100644 --- a/modules/pam_access/access.conf +++ b/modules/pam_access/access.conf @@ -1,14 +1,14 @@ # Login access control table. -# +# # Comment line must start with "#", no space at front. # Order of lines is important. # # When someone logs in, the table is scanned for the first entry that # matches the (user, host) combination, or, in case of non-networked # logins, the first entry that matches the (user, tty) combination. The -# permissions field of that table entry determines whether the login will +# permissions field of that table entry determines whether the login will # be accepted or refused. -# +# # Format of the login access control table is three fields separated by a # ":" character: # @@ -17,11 +17,11 @@ # '|'. This is useful for configurations where you are trying to use # pam_access with X applications that provide PAM_TTY values that are # the display variable like "host:0".] -# +# # permission : users : origins -# +# # The first field should be a "+" (access granted) or "-" (access denied) -# character. +# character. # # The second field should be a list of one or more login names, group # names, or ALL (always matches). A pattern of the form user@host is @@ -42,20 +42,28 @@ # The group file is searched only when a name does not match that of the # logged-in user. Both the user's primary group is matched, as well as # groups in which users are explicitly listed. +# To avoid problems with accounts, which have the same name as a group, +# you can use brackets around group names '(group)' to differentiate. +# In this case, you should also set the "nodefgroup" option. # # TTY NAMES: Must be in the form returned by ttyname(3) less the initial # "/dev" (e.g. tty1 or vc/1) # ############################################################################## -# +# # Disallow non-root logins on tty1 # #-:ALL EXCEPT root:tty1 -# +# # Disallow console logins to all but a few accounts. # #-:ALL EXCEPT wheel shutdown sync:LOCAL # +# Same, but make sure that really the group wheel and not the user +# wheel is used (use nodefgroup argument, too): +# +#-:ALL EXCEPT (wheel) shutdown sync:LOCAL +# # Disallow non-local logins to privileged accounts (group wheel). # #-:wheel:ALL EXCEPT LOCAL .win.tue.nl @@ -87,7 +95,7 @@ # Uses string matching also. #+ : root : .foo.bar.org # -# User "root" should be denied to get access from all other sources. +# User "root" should be denied to get access from all other sources. #- : root : ALL # # User "foo" and members of netgroup "nis_group" should be @@ -111,4 +119,4 @@ #+ : john : 2001:4ca0:0:101::/64 # # All other users should be denied to get access from all sources. -#- : ALL : ALL +#- : ALL : ALL |