Relevant BUGIDs: 411390

Purpose of commit: new feature Commit summary: --------------- 2007-06-22 Thorsten Kukuk <kukuk@thkukuk.de> * modules/pam_access/pam_access.c: Add new syntax for groups in access.conf to differentiate group names from account names. Based on patch from Julien Lecomte <julien@famille-lecomte.net>, solves feature request [#411390]. * modules/pam_access/access.conf: Add example for new group syntax. * modules/pam_access/access.conf.5.xml: Document new syntax.
author: Thorsten Kukuk <kukuk@thkukuk.de> 2007-06-22 09:49:03 +0000
committer: Thorsten Kukuk <kukuk@thkukuk.de> 2007-06-22 09:49:03 +0000
commit: 4b951f0e7dea276cafa87cb344847ff1ae44fb9c (patch)
tree: ab80b95332d647d6d89f64a5598677e87fedf04e /modules/pam_access/access.conf.5.xml
parent: 2cffe6c172c372ac6ddf4c948c92373f69ed7def (diff)
1 files changed, 23 insertions, 14 deletions
diff --git a/modules/pam_access/access.conf.5.xml b/modules/pam_access/access.conf.5.xml
index 492f995d..f8eb7a4e 100644
--- a/modules/pam_access/access.conf.5.xml
+++ b/modules/pam_access/access.conf.5.xml
@@ -20,19 +20,19 @@
     <title>DESCRIPTION</title>
     <para>
       The <filename>/etc/security/access.conf</filename> file specifies
-      (<replaceable>user</replaceable>, <replaceable>host</replaceable>),
-      (<replaceable>user</replaceable>, <replaceable>network/netmask</replaceable>) or
-      (<replaceable>user</replaceable>, <replaceable>tty</replaceable>)
+      (<replaceable>user/group</replaceable>, <replaceable>host</replaceable>),
+      (<replaceable>user/group</replaceable>, <replaceable>network/netmask</replaceable>) or
+      (<replaceable>user/group</replaceable>, <replaceable>tty</replaceable>)
       combinations for which a login will be either accepted or refused.
     </para>
     <para>
       When someone logs in, the file <filename>access.conf</filename> is
       scanned for the first entry that matches the
-      (<replaceable>user</replaceable>, <replaceable>host</replaceable>) or
-      (<replaceable>user</replaceable>, <replaceable>network/netmask</replaceable>)
+      (<replaceable>user/group</replaceable>, <replaceable>host</replaceable>) or
+      (<replaceable>user/group</replaceable>, <replaceable>network/netmask</replaceable>)
       combination, or, in case of non-networked logins, the first entry
       that matches the
-      (<replaceable>user</replaceable>, <replaceable>tty</replaceable>)
+      (<replaceable>user/group</replaceable>, <replaceable>tty</replaceable>)
       combination.  The permissions field of that table entry determines
       whether the login will be accepted or refused.
    </para>
@@ -43,7 +43,7 @@
     </para>
 
     <para>
-      <replaceable>permission</replaceable>:<replaceable>users</replaceable>:<replaceable>origins</replaceable>
+      <replaceable>permission</replaceable>:<replaceable>users/groups</replaceable>:<replaceable>origins</replaceable>
     </para>
 
 
@@ -54,9 +54,12 @@
     </para>
 
     <para>
-      The second field, the <replaceable>users</replaceable>
+      The second field, the
+      <replaceable>users</replaceable>/<replaceable>group</replaceable>
       field, should be a list of one or more login names, group names, or
-      <emphasis>ALL</emphasis> (which always matches).
+      <emphasis>ALL</emphasis> (which always matches). To differentiate
+      user entries from group entries, group entries should be written
+      with brackets, e.g. <emphasis>(group)</emphasis>.
     </para>
 
     <para>
@@ -72,15 +75,15 @@
     </para>
 
     <para>
-      The <replaceable>except</replaceable> operator makes it possible to
+      The <replaceable>EXCEPT</replaceable> operator makes it possible to
       write very compact rules.
     </para>
 
     <para>
-       The group file is searched only when a name does not match that of
-       the logged-in user. Only groups are matched in which users are
-       explicitly listed. However the PAM module does not look at the
-       primary group id of a user.
+       If the <option>nodefgroup</option> is not set, the group file
+       is searched when a name does not match that of the logged-in
+       user. Only groups are matched in which users are explicitly listed.
+       However the PAM module does not look at the primary group id of a user.
     </para>
 
 
@@ -163,6 +166,12 @@
     <para>+ : john : 2001:4ca0:0:101::/64</para>
 
     <para>
+      Disallow console logins to all but the shutdown, sync and all
+      other accounts, which are a member of the wheel group.
+    </para>
+    <para>-:ALL EXCEPT (wheel) shutdown sync:LOCAL</para>
+
+    <para>
       All other users should be denied to get access from all sources.
     </para>
     <para>- : ALL : ALL</para>
author	Thorsten Kukuk <kukuk@thkukuk.de>	2007-06-22 09:49:03 +0000
committer	Thorsten Kukuk <kukuk@thkukuk.de>	2007-06-22 09:49:03 +0000
commit	4b951f0e7dea276cafa87cb344847ff1ae44fb9c (patch)
tree	ab80b95332d647d6d89f64a5598677e87fedf04e /modules/pam_access/access.conf.5.xml
parent	2cffe6c172c372ac6ddf4c948c92373f69ed7def (diff)