LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Enterprise Linux Forums > Linux - Enterprise
User Name
Password
Linux - Enterprise This forum is for all items relating to using Linux in the Enterprise.

Notices

Reply
 
Search this Thread
Old 06-01-2009, 05:15 PM   #1
custangro
Senior Member
 
Registered: Nov 2006
Location: California
Distribution: Fedora , CentOS , Solaris 10, RHEL
Posts: 1,933
Blog Entries: 1

Rep: Reputation: 188Reputation: 188
Access control with access.conf file


Question about the /etc/security/access.conf file...

I was thinking about only allowing acces to the group sysadmins to this server...

The entry would look like...
Code:
 + : @sysadmins : ALL
My question is: Is there an implied "deny the rest" or do I have to put that in?

in other words...should my entry look like this...

Code:
+ : @sysadmins : ALL
- : ALL : ALL
I'm running RHEL 5.3

-C
 
Old 06-01-2009, 07:11 PM   #2
jhcaiced
Member
 
Registered: Mar 2009
Distribution: CentOS - Ubuntu - Debian
Posts: 83

Rep: Reputation: 27
Hi,

I think that you have to define the deny to all rule
in access.conf the line should be:

-:ALL: ALL EXCEPT LOCAL

(This allows local connections from the same host)

Best regards,
 
Old 06-01-2009, 09:43 PM   #3
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by custangro
My question is: Is there an implied "deny the rest" or do I have to put that in?
No. You have to explicitly write the deny rule.

As mentioned, you can use the EXCEPT operator to squeeze the two rules into one. (Although, IMO, it makes the ruleset harder to read. Just depends on how your brain works.)
 
Old 06-01-2009, 09:54 PM   #4
custangro
Senior Member
 
Registered: Nov 2006
Location: California
Distribution: Fedora , CentOS , Solaris 10, RHEL
Posts: 1,933
Blog Entries: 1

Original Poster
Rep: Reputation: 188Reputation: 188
Quote:
Originally Posted by anomie View Post
No. You have to explicitly write the deny rule.

As mentioned, you can use the EXCEPT operator to squeeze the two rules into one. (Although, IMO, it makes the ruleset harder to read. Just depends on how your brain works.)
Thanks...

Question about "squeezing the two rules"...

does the EXCEPT LOCAL keyword include LDAP logins?

-C
 
Old 06-02-2009, 11:22 AM   #5
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by custangro
does the EXCEPT LOCAL keyword include LDAP logins?
I'm not exactly sure. From /etc/security/access.conf inline documentation:
Code:
# The third field should be a list of one or more tty names (for
# non-networked logins), host names, domain names (begin with "."), host
# addresses, internet network numbers (end with "."), ALL (always
# matches), NONE (matches no tty on non-networked logins) or
# LOCAL (matches any string that does not contain a "." character).
If that's ambiguous, I'd recommend testing it out yourself. Tail /var/log/secure and /var/log/messages for PAM chatter to determine how the attempt is being handled.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
access control policy in slapd.conf niraj.kumar Linux - Server 3 05-06-2009 06:58 AM
access control lists in squid.conf zebias Linux - Newbie 3 11-08-2007 11:45 AM
access denied to grub.conf file mista_chewey Linux - General 2 04-16-2006 01:03 AM
Restrict X server access using /etc/security/access.conf anand_kt Linux - General 0 04-22-2005 08:40 AM
Httpd.conf for access control BillyB Linux - Newbie 1 02-26-2005 01:23 PM


All times are GMT -5. The time now is 05:17 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration