diff options
| author | Stefan Schubert <schubi@suse.de> | 2022-02-04 10:17:47 +0100 |
|---|---|---|
| committer | Thorsten Kukuk <5908016+thkukuk@users.noreply.github.com> | 2022-06-30 11:48:52 +0200 |
| commit | 8f9816b57e3a475fc2d2cbb106c188b778098f85 (patch) | |
| tree | 28bf87239b620e643e996c0a0e07e27fe2ca605c /modules/pam_access/pam_access.8.xml | |
| parent | eb2149d82adc912d6d24aa1a004c5e5d58e00b2b (diff) | |
pam_access: use vendor specific access.conf as fallback
Use the vendor directory as fallback for a distribution provided default config if there is no configuration in /etc.
* pam_access.c: Take care about the fallback configuration in vendor directory.
* pam_access.8.xml: Added description for vendor directory.
Diffstat (limited to 'modules/pam_access/pam_access.8.xml')
| -rw-r--r-- | modules/pam_access/pam_access.8.xml | 29 |
1 files changed, 28 insertions, 1 deletions
diff --git a/modules/pam_access/pam_access.8.xml b/modules/pam_access/pam_access.8.xml index 9a6556cc..db853410 100644 --- a/modules/pam_access/pam_access.8.xml +++ b/modules/pam_access/pam_access.8.xml @@ -53,7 +53,7 @@ or on terminal line names, X <varname>$DISPLAY</varname> values, or PAM service names in case of non-networked logins. </para> - <para> + <para condition="without_vendordir"> By default rules for access management are taken from config file <filename>/etc/security/access.conf</filename> if you don't specify another file. @@ -66,6 +66,26 @@ If a config file is explicitly specified with the <option>accessfile</option> option the files in the above directory are not parsed. </para> + <para condition="with_vendordir"> + By default rules for access management are taken from config file + <filename>/etc/security/access.conf</filename> or, if that one is not + present, the file <filename>%vendordir%/security/access.conf</filename>. + These settings can be overruled by setting in a config file explicitly + specified with the <option>accessfile</option> option. + Then individual <filename>*.conf</filename> files from the + <filename>/etc/security/access.d/</filename> and + <filename>%vendordir%/security/access.d</filename> directories are read. + If <filename>/etc/security/access.d/@filename@.conf</filename> exists, then + <filename>%vendordir%/security/access.d/@filename@.conf</filename> will not be used. + All <filename>access.d/*.conf</filename> files are sorted by their + <filename>@filename@.conf</filename> in lexicographic order regardless of which + of the directories they reside in. + The effect of the individual files is the same as if all the files were + concatenated together in the order of parsing. This means that once + a pattern is matched in some file no further files are parsed. + If a config file is explicitly specified with the <option>accessfile</option> + option the files in the above directories are not parsed. + </para> <para> If Linux PAM is compiled with audit support the module will report when it denies access based on origin (host, tty, etc.). @@ -233,6 +253,13 @@ <para>Default configuration file</para> </listitem> </varlistentry> + <varlistentry condition="with_vendordir"> + <term><filename>%vendordir%/security/access.conf</filename></term> + <listitem> + <para>Default configuration file if + <filename>/etc/security/access.conf</filename> does not exist.</para> + </listitem> + </varlistentry> </variablelist> </refsect1> |