LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Enterprise (https://www.linuxquestions.org/questions/linux-enterprise-47/)
-   -   Access control with access.conf file (https://www.linuxquestions.org/questions/linux-enterprise-47/access-control-with-access-conf-file-729971/)

custangro 06-01-2009 05:15 PM
Access control with access.conf file
 
Question about the /etc/security/access.conf file...

I was thinking about only allowing acces to the group sysadmins to this server...

The entry would look like...
Code:
+ : @sysadmins : ALL
My question is: Is there an implied "deny the rest" or do I have to put that in?

in other words...should my entry look like this...

Code:
+ : @sysadmins : ALL
- : ALL : ALL
I'm running RHEL 5.3

-C

jhcaiced 06-01-2009 07:11 PM
Hi,

I think that you have to define the deny to all rule
in access.conf the line should be:

-:ALL: ALL EXCEPT LOCAL

(This allows local connections from the same host)

Best regards,

anomie 06-01-2009 09:43 PM
Quote:
Originally Posted by custangro
My question is: Is there an implied "deny the rest" or do I have to put that in?
No. You have to explicitly write the deny rule.

As mentioned, you can use the EXCEPT operator to squeeze the two rules into one. (Although, IMO, it makes the ruleset harder to read. Just depends on how your brain works.)

custangro 06-01-2009 09:54 PM
Quote:
Originally Posted by anomie (Post 3559771)
No. You have to explicitly write the deny rule.

As mentioned, you can use the EXCEPT operator to squeeze the two rules into one. (Although, IMO, it makes the ruleset harder to read. Just depends on how your brain works.)
Thanks...

Question about "squeezing the two rules"...

does the EXCEPT LOCAL keyword include LDAP logins?

-C

anomie 06-02-2009 11:22 AM
Quote:
Originally Posted by custangro
does the EXCEPT LOCAL keyword include LDAP logins?
I'm not exactly sure. From /etc/security/access.conf inline documentation:
Code:
# The third field should be a list of one or more tty names (for
# non-networked logins), host names, domain names (begin with "."), host
# addresses, internet network numbers (end with "."), ALL (always
# matches), NONE (matches no tty on non-networked logins) or
# LOCAL (matches any string that does not contain a "." character).
If that's ambiguous, I'd recommend testing it out yourself. Tail /var/log/secure and /var/log/messages for PAM chatter to determine how the attempt is being handled.


All times are GMT -5. The time now is 09:52 PM.