summaryrefslogtreecommitdiff
path: root/modules/pam_access/access.conf.5
diff options
context:
space:
mode:
authorThorsten Kukuk <kukuk@thkukuk.de>2007-06-22 09:49:03 +0000
committerThorsten Kukuk <kukuk@thkukuk.de>2007-06-22 09:49:03 +0000
commit4b951f0e7dea276cafa87cb344847ff1ae44fb9c (patch)
treeab80b95332d647d6d89f64a5598677e87fedf04e /modules/pam_access/access.conf.5
parent2cffe6c172c372ac6ddf4c948c92373f69ed7def (diff)
Relevant BUGIDs: 411390
Purpose of commit: new feature Commit summary: --------------- 2007-06-22 Thorsten Kukuk <kukuk@thkukuk.de> * modules/pam_access/pam_access.c: Add new syntax for groups in access.conf to differentiate group names from account names. Based on patch from Julien Lecomte <julien@famille-lecomte.net>, solves feature request [#411390]. * modules/pam_access/access.conf: Add example for new group syntax. * modules/pam_access/access.conf.5.xml: Document new syntax.
Diffstat (limited to 'modules/pam_access/access.conf.5')
-rw-r--r--modules/pam_access/access.conf.535
1 files changed, 21 insertions, 14 deletions
diff --git a/modules/pam_access/access.conf.5 b/modules/pam_access/access.conf.5
index 43cc4fce..fcd33bb4 100644
--- a/modules/pam_access/access.conf.5
+++ b/modules/pam_access/access.conf.5
@@ -1,11 +1,11 @@
.\" Title: access.conf
.\" Author:
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\" Date: 06/21/2006
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
+.\" Date: 06/22/2007
.\" Manual: Linux\-PAM Manual
.\" Source: Linux\-PAM Manual
.\"
-.TH "ACCESS.CONF" "5" "06/21/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "ACCESS.CONF" "5" "06/22/2007" "Linux\-PAM Manual" "Linux\-PAM Manual"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
@@ -16,32 +16,33 @@ access.conf \- the login access control table file
.PP
The
\fI/etc/security/access.conf\fR
-file specifies (\fIuser\fR,
-\fIhost\fR), (\fIuser\fR,
-\fInetwork/netmask\fR) or (\fIuser\fR,
+file specifies (\fIuser/group\fR,
+\fIhost\fR), (\fIuser/group\fR,
+\fInetwork/netmask\fR) or (\fIuser/group\fR,
\fItty\fR) combinations for which a login will be either accepted or refused.
.PP
When someone logs in, the file
\fIaccess.conf\fR
-is scanned for the first entry that matches the (\fIuser\fR,
-\fIhost\fR) or (\fIuser\fR,
-\fInetwork/netmask\fR) combination, or, in case of non\-networked logins, the first entry that matches the (\fIuser\fR,
+is scanned for the first entry that matches the (\fIuser/group\fR,
+\fIhost\fR) or (\fIuser/group\fR,
+\fInetwork/netmask\fR) combination, or, in case of non\-networked logins, the first entry that matches the (\fIuser/group\fR,
\fItty\fR) combination. The permissions field of that table entry determines whether the login will be accepted or refused.
.PP
Each line of the login access control table has three fields separated by a ":" character (colon):
.PP
-\fIpermission\fR:\fIusers\fR:\fIorigins\fR
+\fIpermission\fR:\fIusers/groups\fR:\fIorigins\fR
.PP
The first field, the
\fIpermission\fR
field, can be either a "\fI+\fR" character (plus) for access granted or a "\fI\-\fR" character (minus) for access denied.
.PP
The second field, the
-\fIusers\fR
+\fIusers\fR/\fIgroup\fR
field, should be a list of one or more login names, group names, or
\fIALL\fR
-(which always matches).
+(which always matches). To differentiate user entries from group entries, group entries should be written with brackets, e.g.
+\fI(group)\fR.
.PP
The third field, the
\fIorigins\fR
@@ -54,10 +55,12 @@ field, should be a list of one or more tty names (for non\-networked logins), ho
in host or user patterns.
.PP
The
-\fIexcept\fR
+\fIEXCEPT\fR
operator makes it possible to write very compact rules.
.PP
-The group file is searched only when a name does not match that of the logged\-in user. Only groups are matched in which users are explicitly listed. However the PAM module does not look at the primary group id of a user.
+If the
+\fBnodefgroup\fR
+is not set, the group file is searched when a name does not match that of the logged\-in user. Only groups are matched in which users are explicitly listed. However the PAM module does not look at the primary group id of a user.
.PP
The "\fI#\fR" character at start of line (no space at front) can be used to mark this line as a comment line.
.SH "EXAMPLES"
@@ -143,6 +146,10 @@ should get access from IPv6 net/mask.
.PP
+ : john : 2001:4ca0:0:101::/64
.PP
+Disallow console logins to all but the shutdown, sync and all other accounts, which are a member of the wheel group.
+.PP
+\-:ALL EXCEPT (wheel) shutdown sync:LOCAL
+.PP
All other users should be denied to get access from all sources.
.PP
\- : ALL : ALL