diff options
author | Russ Allbery <eagle@eyrie.org> | 2015-11-27 13:13:30 -0800 |
---|---|---|
committer | Russ Allbery <eagle@eyrie.org> | 2015-11-27 13:13:30 -0800 |
commit | 5f05c630d8ba44a3fbe3c96efcaf2105ce9c0069 (patch) | |
tree | 3b5f1ea280be902603f5f388cf871c4af2591bd7 /docs | |
parent | abcb6c00e82a38a439f43eda8daef1a71f0d9647 (diff) |
Add anyuser:auth and anyuser:anonymous ACLs
Two new remctld ACLs are supported: anyuser:auth and
anyuser:anonymous. The first is equivalent to ANYUSER, and indeed
ANYUSER is now treated as a backwards-compatibility alias for
anyuser:auth. This permits any authenticated user in either the local
realm or any realm with which there is cross-realm trust. The new
anyuser:anonymous ACL permits absolutely any user, even
unauthenticated users, allowing anyone with network access to the
server to run the command. (Note, however, that actually running
commands anonymously requires anonymous PKINIT and anonymous service
tickets be enabled for the local Kerberos realm. These are not common
configurations, particularly the second.)
Diffstat (limited to 'docs')
-rw-r--r-- | docs/remctld.pod | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/docs/remctld.pod b/docs/remctld.pod index 3dcd5e9..77cfb4b 100644 --- a/docs/remctld.pod +++ b/docs/remctld.pod @@ -330,6 +330,9 @@ If I<method> is omitted, I<acl> must either begin with C</> or must not contain C<=>. Otherwise, it will be parsed as an option instead. If there is any ambiguity, prepend the I<method>. +As a special exception for backward compatibility, the ACL C<ANYUSER> +(case-sensitive) is treated as equivalent to C<anyuser:auth>. + Each entry is checked in order, and access is granted as soon as an entry matches. If no entry matches, access is denied. The following methods may supported; however, be aware that the availability of several ACL @@ -338,6 +341,31 @@ type is annotated with the version in which it was added. =over 4 +=item anyuser + +[3.10] Permit access to any user. This comes in two forms: + +=over 4 + +=item anyuser:auth + +Permit any authenticated user. This means not only the local Kerberos +realm but also any realm with which there is a cross-realm trust +relationship. + +=item anyuser:anonymous + +Permit entirely anonymous users. This means no authentication whatsoever +is required to run the command. Any client with network access to the +server can run the command (using anonymous PKINIT), assuming that +anonymous service tickets are enabled for the local Kerberos realm. + +=back + +For backwards compatibility, the ACL C<ANYUSER> is treated as identical to +C<anyuser:auth>. This was the only supported any-user ACL syntax prior to +remctl 3.10. + =item file [2.13] The data is the full path of an ACL file or to a directory |