diff options
| author | Russ Allbery <eagle@eyrie.org> | 2014-06-15 18:54:19 -0700 |
|---|---|---|
| committer | Russ Allbery <rra@stanford.edu> | 2014-06-16 10:59:17 -0700 |
| commit | e12735a7f406b0b6366fd70f40f5f05be8bf5e26 (patch) | |
| tree | 29332aca2f9ce47abdb4b801499c92df83dd293f /docs | |
| parent | b99eb9d07259fa8836d2e4debce5719541c509a0 (diff) | |
Rename the unxgrp ACL type to localgroup
No particularly strong reason other than I like it better
aesthetically, although it does include the "local" part as a
reference to krb5_aname_to_localname.
Change-Id: I3b0bbb056271222e79b21cf2d96d04e9ef0bf1fe
Reviewed-on: https://gerrit.stanford.edu/1502
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/remctld.pod | 37 |
1 files changed, 24 insertions, 13 deletions
diff --git a/docs/remctld.pod b/docs/remctld.pod index cd46189..dc68e17 100644 --- a/docs/remctld.pod +++ b/docs/remctld.pod @@ -3,8 +3,7 @@ remctld remctl -dFhmSvZ keytab GSS-API tcpserver inetd subcommand AFS backend logmask NUL acl ACL princ filename gput CMU GPUT xform ANYUSER IP IPv4 IPv6 hostname SCPRINCIPAL sysctld Heimdal MICs Ushakov Allbery subcommands REMUSER pcre PCRE triple-DES MERCHANTABILITY username arg -SIGCONT SIGSTOP systemd IANA-registered -unxgrp +SIGCONT SIGSTOP systemd IANA-registered localgroup =head1 NAME @@ -401,6 +400,29 @@ the optional I<xform> or the default transform. This method is supported only if B<remctld> was compiled with GPUT support by using the C<--with-gput> configure option. +=item localgroup + +[3.9] This method is used to grant or deny access based on membership in +local UNIX groups. The data is taken to be a name of a local system +group. The user principal is converted to a local user name +with krb5_aname_to_localname(3) and then compared to the members of the +given group. + +For example, to allow access to the members of group C<goodguys>, use an +ACL of C<localgroup:goodguys> syntax. To deny access to the members of +group C<badguys>, use C<deny:localgroup:badguys>. + +krb5_aname_to_localname() follows local configuration rules to determine +how to convert Kerberos principal to local users. If the realm of the +principal is not in a local realm and is not otherwise covered by one of +those rules, the principal will be unchanged, which will almost certainly +mean that it will not be a member of any local group and access will be +denied. + +This method is supported only if B<remctld> was built with Kerberos +support and the getgrnam_r(3) library function was supported by the C +library when it was built. + =item pcre [2.16] This method is used to grant or deny access based on @@ -421,17 +443,6 @@ identity. To deny access, use the C<deny:regex:I<regex>> syntax. This method is supported only if a library for POSIX-compatible regular expressions was found when B<remctld> was built. -=item unxgrp - -This method is used to grant or deny access using Unix groups. -The user principal is converted to a local user name with I<krb5_aname_to_localname(3)> -and then compared to the members of B<group>. -To allow access to the members of group C<goodguys>, use the C<unxgrp:goodguys> syntax, whereas -to deny access to the members of group C<badguys>, use the C<deny:unxgrp:badguys> syntax. - -Because of how I<krb5_aname_to_localname(3)> works, if the user principal isn't in one of -the local realms, access will be denied. - =back To see the list of ACL types supported by a particular build of |