LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Enterprise Linux Forums > Linux - Enterprise
Reload this Page Access control with access.conf file
User Name
Password
Linux - Enterprise This forum is for all items relating to using Linux in the Enterprise.

Notices


Reply
  Search this Thread
Old 06-01-2009, 05:15 PM   #1
custangro
Senior Member
 
Registered: Nov 2006
Location: California
Distribution: Fedora , CentOS , RHEL
Posts: 1,979
Blog Entries: 1

Rep: Reputation: 209Reputation: 209Reputation: 209
Access control with access.conf file

Question about the /etc/security/access.conf file...

I was thinking about only allowing acces to the group sysadmins to this server...

The entry would look like...
Code:
 + : @sysadmins : ALL
My question is: Is there an implied "deny the rest" or do I have to put that in?

in other words...should my entry look like this...

Code:
+ : @sysadmins : ALL
- : ALL : ALL
I'm running RHEL 5.3

-C
 
Old 06-01-2009, 07:11 PM   #2
jhcaiced
Member
 
Registered: Mar 2009
Distribution: CentOS - Ubuntu - Debian
Posts: 83

Rep: Reputation: 27
Hi,

I think that you have to define the deny to all rule
in access.conf the line should be:

-:ALL: ALL EXCEPT LOCAL

(This allows local connections from the same host)

Best regards,
 
Old 06-01-2009, 09:43 PM   #3
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by custangro
My question is: Is there an implied "deny the rest" or do I have to put that in?
No. You have to explicitly write the deny rule.

As mentioned, you can use the EXCEPT operator to squeeze the two rules into one. (Although, IMO, it makes the ruleset harder to read. Just depends on how your brain works.)
 
Old 06-01-2009, 09:54 PM   #4
custangro
Senior Member
 
Registered: Nov 2006
Location: California
Distribution: Fedora , CentOS , RHEL
Posts: 1,979

Original Poster
Blog Entries: 1

Rep: Reputation: 209Reputation: 209Reputation: 209
Quote:
Originally Posted by anomie View Post
No. You have to explicitly write the deny rule.

As mentioned, you can use the EXCEPT operator to squeeze the two rules into one. (Although, IMO, it makes the ruleset harder to read. Just depends on how your brain works.)
Thanks...

Question about "squeezing the two rules"...

does the EXCEPT LOCAL keyword include LDAP logins?

-C
 
Old 06-02-2009, 11:22 AM   #5
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by custangro
does the EXCEPT LOCAL keyword include LDAP logins?
I'm not exactly sure. From /etc/security/access.conf inline documentation:
Code:
# The third field should be a list of one or more tty names (for
# non-networked logins), host names, domain names (begin with "."), host
# addresses, internet network numbers (end with "."), ALL (always
# matches), NONE (matches no tty on non-networked logins) or
# LOCAL (matches any string that does not contain a "." character).
If that's ambiguous, I'd recommend testing it out yourself. Tail /var/log/secure and /var/log/messages for PAM chatter to determine how the attempt is being handled.
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
access control policy in slapd.conf niraj.kumar Linux - Server 3 05-06-2009 06:58 AM
access control lists in squid.conf zebias Linux - Newbie 3 11-08-2007 11:45 AM
access denied to grub.conf file mista_chewey Linux - General 2 04-16-2006 01:03 AM
Restrict X server access using /etc/security/access.conf anand_kt Linux - General 0 04-22-2005 08:40 AM
Httpd.conf for access control BillyB Linux - Newbie 1 02-26-2005 01:23 PM

LinuxQuestions.org > Forums > Enterprise Linux Forums > Linux - Enterprise

All times are GMT -5. The time now is 02:03 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration