Spaces in names in /etc/security/access.conf
in [Debian]
|
From: Laurent Blume on 12 Aug 2010 04:30 Hello all, I'm trying to restrict access in /etc/security/access.conf based on group names which have spaces in them (Windows domains groups, in the form DOMAIN+group of users). It already works for groups without a space. I tried escaping with \ or quoting, but it didn't seem to work. Any idea if/how that can be done? Thanks, Laurent -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/4C63AEE2.3080509(a)opensolaris.org
From: Camaleón on 12 Aug 2010 07:20 On Thu, 12 Aug 2010 10:20:50 +0200, Laurent Blume wrote: > I'm trying to restrict access in /etc/security/access.conf based on > group names which have spaces in them (Windows domains groups, in the > form DOMAIN+group of users). It already works for groups without a > space. > > I tried escaping with \ or quoting, but it didn't seem to work. Any idea > if/how that can be done? Mmm, couldn't be that here apply the same restrictions as for usernames? BTW, "man groupadd" says: *** CAVEATS It is usually recommended to only use usernames that begin with a lower case letter or an underscore, and are only followed by lower case letters, digits, underscores, dashes, and optionally terminated by a dollar sign. In regular expression terms: [a-z_][a-z0-9_-]*[$]? On Debian, the only constraints are that usernames must neither start with a dash (´-´) nor contain a colon (´:´) or a whitespace (space:´ ´, end of line: ´\n´, tabulation: ´\t´, etc.). Groupnames may only be up to 32 characters long. You may not add a NIS or LDAP group. This must be performed on the corresponding server. If the groupname already exists in an external group database such as NIS or LDAP, groupadd will deny the group creation request. *** P.S. That man page seems to have an error. When it reads "username" I guess it should be "groupnames", instead :-? Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/pan.2010.08.12.11.09.46(a)gmail.com
From: Laurent Blume on 12 Aug 2010 10:10 Le 08/12/2010 01:09 PM, Camaleón a écrit : > Mmm, couldn't be that here apply the same restrictions as for usernames? Aha, I didn't know that it was so restrictive. But actually, I'm lucky, I had read access.conf(5), but overlooked this in pam_access(8), which specifically covers my case: listsep=separators This option modifies the list separator character that pam_access will recognize when parsing the access configuration file. For example: listsep=, will cause the default ' ´ (space) and '\t´ (tab) characters to be treated as part of a list element value and ',´ becomes the only list element separator. Doing this may be useful on a system with group information obtained from a Windows domain, where the default built-in groups "Domain Users", "Domain Admins" contain a space. Which proves once again if it was needed that one needs to always RTFM a little bit more :-) Thanks, Laurent -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/4C63FE86.9090100(a)opensolaris.org
From: Camaleón on 12 Aug 2010 12:30 On Thu, 12 Aug 2010 16:00:38 +0200, Laurent Blume wrote: > Le 08/12/2010 01:09 PM, Camaleón a écrit : >> Mmm, couldn't be that here apply the same restrictions as for >> usernames? > > Aha, I didn't know that it was so restrictive. But actually, I'm lucky, > I had read access.conf(5), but overlooked this in pam_access(8), which > specifically covers my case: > > listsep=separators (...) Ah... great! I take note of this. > Which proves once again if it was needed that one needs to always RTFM a > little bit more :-) Better "RTCM" → Read The *Correct* Manual And I'm afraid that also applies to me O:-) Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/pan.2010.08.12.16.25.04(a)gmail.com
From: Laurent Blume on 13 Aug 2010 12:20 Le 08/12/2010 06:25 PM, Camaleón a écrit : > Better "RTCM" → Read The *Correct* Manual Well, «Correct» is a stretch. I just found out that you need to put *exactly* this as a pam_access parameter: listsep = , If you don't put the spaces (as in the manual's example), then the content of access.conf will be silently ignored, and everybody be allowed to log in. The line there looks like this: -:ALL EXCEPT root,(ldapgroup),(DOMAIN+windows users):ALL Replacing the remaining spaces by commas also works, but doesn't appear to be necessary. Laurent -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/4C656FB5.8020006(a)opensolaris.org
|
Pages: 1 Prev: iceweasel and its missing libraries. Next: Internal modem |