Access

Parses /etc/security/access.conf

Author: Lorenzo Dalrio lorenzo.nosp@m..dalrio@gmai.nosp@m.l.com

Summary
AccessParses /etc/security/access.conf
ReferenceSome examples of valid entries can be found in access.conf or “man access.conf”
LicenseThis file is licensed under the LGPLv2+, like the rest of Augeas.
Lens UsageSample usage of this lens in augtool
Configuration filesThis lens applies to /etc/security/access.conf.
ExamplesThe Test_Access file contains various examples and tests.
Comments and empty lines
comment
empty
Useful primitives
colonthis is the standard field separator “ : “
ENTRY LINE
accessAllow (+) or deny (-) access
user_reRegex for user/netgroup fields
useruser can be a username, username@hostname or a group
groupFormat is (GROUP)
netgroupFormat is @NETGROUP[@@NISDOMAIN]
user_listA list of users or netgroups to apply the rule to
origin_listorigin_list can be a single ipaddr/originname/domain/fqdn or a list of those values
exceptThe except operator makes it possible to write very compact rules.
entryA valid entry line Definition:
LENS & FILTER
lnsThe access.conf lens, any amount of
filter

Reference

Some examples of valid entries can be found in access.conf or “man access.conf”

License

This file is licensed under the LGPLv2+, like the rest of Augeas.

Lens Usage

Sample usage of this lens in augtool

  • Add a rule to permit login of all users from local sources (tty’s, X, cron)
set /files/etc/security/access.conf[0] +
set /files/etc/security/access.conf[0]/user ALL
set /files/etc/security/access.conf[0]/origin LOCAL

Configuration files

This lens applies to /etc/security/access.conf.  See filter.

Examples

The Test_Access file contains various examples and tests.

Comments and empty lines

comment

let comment = Util.comment

empty

let empty = Util.empty

Useful primitives

colon

let colon = del (Rx.opt_space . ":" . Rx.opt_space) " : "

this is the standard field separator “ : “

ENTRY LINE

access

let access = label "access" . store /[+-]/

Allow (+) or deny (-) access

user_re

let user_re = Rx.word - /[Ee][Xx][Cc][Ee][Pp][Tt]/

Regex for user/netgroup fields

user

let user = [ label "user" . ( store user_re | store Rx.word . Util.del_str "@" . [ label "host" . store Rx.word ] ) ]

user can be a username, username@hostname or a group

group

let group = [ label "group" . Util.del_str "(" . store Rx.word . Util.del_str ")" ]

Format is (GROUP)

netgroup

let netgroup = [ label "netgroup" . Util.del_str "@" . store user_re . [ label "nisdomain" . Util.del_str "@@" . store Rx.word ]? ]

Format is @NETGROUP[@@NISDOMAIN]

user_list

let user_list = Build.opt_list (user|group|netgroup) Sep.space

A list of users or netgroups to apply the rule to

origin_list

let origin_list = let origin_re = Rx.no_spaces - /[Ee][Xx][Cc][Ee][Pp][Tt]/ in Build.opt_list [ label "origin" . store origin_re ] Sep.space

origin_list can be a single ipaddr/originname/domain/fqdn or a list of those values

except

let except (lns:lens) = [ label "except" . Sep.space . del /[Ee][Xx][Cc][Ee][Pp][Tt]/ "EXCEPT" . Sep.space . lns ]

The except operator makes it possible to write very compact rules.

entry

let entry = [ access . colon . user_list . (except user_list)? . colon . origin_list . (except origin_list)? . Util.eol ]

A valid entry line Definition:

entry ::= access ':' user ':' origin_list

LENS & FILTER

lns

let lns = (comment|empty|entry) *

The access.conf lens, any amount of

filter

Provides unit tests and examples for the Access lens.
let comment = Util.comment
let empty = Util.empty
let colon = del (Rx.opt_space . ":" . Rx.opt_space) " : "
this is the standard field separator “ : “
let access = label "access" . store /[+-]/
Allow (+) or deny (-) access
let user_re = Rx.word - /[Ee][Xx][Cc][Ee][Pp][Tt]/
Regex for user/netgroup fields
let user = [ label "user" . ( store user_re | store Rx.word . Util.del_str "@" . [ label "host" . store Rx.word ] ) ]
user can be a username, username@hostname or a group
let group = [ label "group" . Util.del_str "(" . store Rx.word . Util.del_str ")" ]
Format is (GROUP)
let netgroup = [ label "netgroup" . Util.del_str "@" . store user_re . [ label "nisdomain" . Util.del_str "@@" . store Rx.word ]? ]
Format is @NETGROUP[@@NISDOMAIN]
let user_list = Build.opt_list (user|group|netgroup) Sep.space
A list of users or netgroups to apply the rule to
let origin_list = let origin_re = Rx.no_spaces - /[Ee][Xx][Cc][Ee][Pp][Tt]/ in Build.opt_list [ label "origin" . store origin_re ] Sep.space
origin_list can be a single ipaddr/originname/domain/fqdn or a list of those values
let except (lns:lens) = [ label "except" . Sep.space . del /[Ee][Xx][Cc][Ee][Pp][Tt]/ "EXCEPT" . Sep.space . lns ]
The except operator makes it possible to write very compact rules.
let entry = [ access . colon . user_list . (except user_list)? . colon . origin_list . (except origin_list)? . Util.eol ]
A valid entry line Definition:
let lns = (comment|empty|entry) *
The access.conf lens, any amount of
Close