Access

Parses /etc/security/access.conf

Author: Lorenzo Dalrio lorenzo.nosp@m..dalrio@gmai.nosp@m.l.com

Summary
AccessParses /etc/security/access.conf
ReferenceSome examples of valid entries can be found in access.conf or “man access.conf”
LicenseThis file is licensed under the LGPL v2+, like the rest of Augeas.
Lens UsageSample usage of this lens in augtool
Configuration filesThis lens applies to /etc/security/access.conf.
ExamplesThe Test_Access file contains various examples and tests.
Comments and empty lines
comment
empty
Useful primitives
colonthis is the standard field separator “ : “
ENTRY LINE
accessAllow (+) or deny (-) access
identifier_reRegex for user/group identifiers
user_reRegex for user/netgroup fields
useruser can be a username, username@hostname or a group
groupFormat is (GROUP)
netgroupFormat is @NETGROUP[@@NISDOMAIN]
user_listA list of users or netgroups to apply the rule to
origin_listorigin_list can be a single ipaddr/originname/domain/fqdn or a list of those values
exceptThe except operator makes it possible to write very compact rules.
entryA valid entry line Definition:
LENS & FILTER
lnsThe access.conf lens, any amount of
filter

Reference

Some examples of valid entries can be found in access.conf or “man access.conf”

License

This file is licensed under the LGPL v2+, like the rest of Augeas.

Lens Usage

Sample usage of this lens in augtool

  • Add a rule to permit login of all users from local sources (tty’s, X, cron)
set /files/etc/security/access.conf[0] +
set /files/etc/security/access.conf[0]/user ALL
set /files/etc/security/access.conf[0]/origin LOCAL

Configuration files

This lens applies to /etc/security/access.conf.  See filter.

Examples

The Test_Access file contains various examples and tests.

Comments and empty lines

comment

let comment = Util.comment

empty

let empty = Util.empty

Useful primitives

colon

let colon = del (Rx.opt_space . ":" . Rx.opt_space) " : "

this is the standard field separator “ : “

ENTRY LINE

access

let access = label "access" . store /[+-]/

Allow (+) or deny (-) access

identifier_re

let identifier_re = /[A-Za-z0-9_.\\-]+/

Regex for user/group identifiers

user_re

let user_re = identifier_re - /[Ee][Xx][Cc][Ee][Pp][Tt]/

Regex for user/netgroup fields

user

let user = [ label "user" . ( store user_re | store Rx.word . Util.del_str "@" . [ label "host" . store Rx.word ] ) ]

user can be a username, username@hostname or a group

group

let group = [ label "group" . Util.del_str "(" . store identifier_re . Util.del_str ")" ]

Format is (GROUP)

netgroup

let netgroup = [ label "netgroup" . Util.del_str "@" . store user_re . [ label "nisdomain" . Util.del_str "@@" . store Rx.word ]? ]

Format is @NETGROUP[@@NISDOMAIN]

user_list

let user_list = Build.opt_list (user|group|netgroup) Sep.space

A list of users or netgroups to apply the rule to

origin_list

let origin_list = let origin_re = Rx.no_spaces - /[Ee][Xx][Cc][Ee][Pp][Tt]/ in Build.opt_list [ label "origin" . store origin_re ] Sep.space

origin_list can be a single ipaddr/originname/domain/fqdn or a list of those values

except

let except (lns:lens) = [ label "except" . Sep.space . del /[Ee][Xx][Cc][Ee][Pp][Tt]/ "EXCEPT" . Sep.space . lns ]

The except operator makes it possible to write very compact rules.

entry

let entry = [ access . colon . user_list . (except user_list)? . colon . origin_list . (except origin_list)? . Util.eol ]

A valid entry line Definition:

entry ::= access ':' user ':' origin_list

LENS & FILTER

lns

let lns = (comment|empty|entry) *

The access.conf lens, any amount of

filter

Provides unit tests and examples for the Access lens.
let comment = Util.comment
let empty = Util.empty
let colon = del (Rx.opt_space . ":" . Rx.opt_space) " : "
this is the standard field separator “ : “
let access = label "access" . store /[+-]/
Allow (+) or deny (-) access
let identifier_re = /[A-Za-z0-9_.\\-]+/
Regex for user/group identifiers
let user_re = identifier_re - /[Ee][Xx][Cc][Ee][Pp][Tt]/
Regex for user/netgroup fields
let user = [ label "user" . ( store user_re | store Rx.word . Util.del_str "@" . [ label "host" . store Rx.word ] ) ]
user can be a username, username@hostname or a group
let group = [ label "group" . Util.del_str "(" . store identifier_re . Util.del_str ")" ]
Format is (GROUP)
let netgroup = [ label "netgroup" . Util.del_str "@" . store user_re . [ label "nisdomain" . Util.del_str "@@" . store Rx.word ]? ]
Format is @NETGROUP[@@NISDOMAIN]
let user_list = Build.opt_list (user|group|netgroup) Sep.space
A list of users or netgroups to apply the rule to
let origin_list = let origin_re = Rx.no_spaces - /[Ee][Xx][Cc][Ee][Pp][Tt]/ in Build.opt_list [ label "origin" . store origin_re ] Sep.space
origin_list can be a single ipaddr/originname/domain/fqdn or a list of those values
let except (lns:lens) = [ label "except" . Sep.space . del /[Ee][Xx][Cc][Ee][Pp][Tt]/ "EXCEPT" . Sep.space . lns ]
The except operator makes it possible to write very compact rules.
let entry = [ access . colon . user_list . (except user_list)? . colon . origin_list . (except origin_list)? . Util.eol ]
A valid entry line Definition:
let lns = (comment|empty|entry) *
The access.conf lens, any amount of
Close