Access

Parses /etc/security/access.conf

Author: Lorenzo Dalrio lorenzo.nosp@m..dalrio@gmai.nosp@m.l.com

Summary
AccessParses /etc/security/access.conf
ReferenceSome examples of valid entries can be found in access.conf or “man access.conf”
LicenseThis file is licensed under the LGPLv2+, like the rest of Augeas.
Lens UsageSample usage of this lens in augtool
Configuration filesThis lens applies to /etc/security/access.conf.
Comments and empty lines
comment
empty line
Useful primitives
colonthis is the standard field separator “ : “
ENTRY LINE
accessAllow (+) or deny (-) access
user_reRegex for user/netgroup fields
useruser can be a username or a group
netgroupnetgroups begin with @
user_listA list of users or netgroups to apply the rule to
origin_listorigin_list can be a single ipaddr/originname/domain/fqdn or a list of those values
exceptThe except operator makes it possible to write very compact rules.
entryA valid entry line Definition:
LENS & FILTER
lnsThe access.conf lens, any amount of
filter

Reference

Some examples of valid entries can be found in access.conf or “man access.conf”

License

This file is licensed under the LGPLv2+, like the rest of Augeas.

Lens Usage

Sample usage of this lens in augtool

  • Add a rule to permit login of all users from local sources (tty’s, X, cron)
set /files/etc/security/access.conf[0] +
set /files/etc/security/access.conf[0]/user ALL
set /files/etc/security/access.conf[0]/origin LOCAL

Configuration files

This lens applies to /etc/security/access.conf.  See filter.

Comments and empty lines

comment

let comment = Util.comment

empty line

Useful primitives

colon

let colon = Sep.space . Sep.colon . Sep.space

this is the standard field separator “ : “

ENTRY LINE

access

let access = label "access" . store /[+-]/

Allow (+) or deny (-) access

user_re

let user_re = Rx.word - /[Ee][Xx][Cc][Ee][Pp][Tt]/

Regex for user/netgroup fields

user

let user = [ label "user" . store user_re ]

user can be a username or a group

netgroup

let netgroup = [ label "netgroup" . Util.del_str "@" . store user_re ]

netgroups begin with @

user_list

let user_list = Build.opt_list (user|netgroup) Sep.space

A list of users or netgroups to apply the rule to

origin_list

let origin_list = let origin_re = Rx.no_spaces - /[Ee][Xx][Cc][Ee][Pp][Tt]/ in Build.opt_list [ label "origin" . store origin_re ] Sep.space

origin_list can be a single ipaddr/originname/domain/fqdn or a list of those values

except

let except (
   lns:lens
) = [ label "except" . Sep.space . del /[Ee][Xx][Cc][Ee][Pp][Tt]/ "EXCEPT" . Sep.space . lns ]

The except operator makes it possible to write very compact rules.

entry

let entry = [ access . colon . user_list . (except user_list)? . colon . origin_list . (except origin_list)? . Util.eol ]

A valid entry line Definition:

entry ::= access ':' user ':' origin_list

LENS & FILTER

lns

let lns = (comment|empty|entry) *

The access.conf lens, any amount of

filter

let comment = Util.comment
let colon = Sep.space . Sep.colon . Sep.space
this is the standard field separator “ : “
let access = label "access" . store /[+-]/
Allow (+) or deny (-) access
let user_re = Rx.word - /[Ee][Xx][Cc][Ee][Pp][Tt]/
Regex for user/netgroup fields
let user = [ label "user" . store user_re ]
user can be a username or a group
let netgroup = [ label "netgroup" . Util.del_str "@" . store user_re ]
netgroups begin with @
let user_list = Build.opt_list (user|netgroup) Sep.space
A list of users or netgroups to apply the rule to
let origin_list = let origin_re = Rx.no_spaces - /[Ee][Xx][Cc][Ee][Pp][Tt]/ in Build.opt_list [ label "origin" . store origin_re ] Sep.space
origin_list can be a single ipaddr/originname/domain/fqdn or a list of those values
let except (
   lns:lens
) = [ label "except" . Sep.space . del /[Ee][Xx][Cc][Ee][Pp][Tt]/ "EXCEPT" . Sep.space . lns ]
The except operator makes it possible to write very compact rules.
let entry = [ access . colon . user_list . (except user_list)? . colon . origin_list . (except origin_list)? . Util.eol ]
A valid entry line Definition:
let lns = (comment|empty|entry) *
The access.conf lens, any amount of
let empty = Util.empty
Close