129 lines
3.6 KiB
Plaintext
129 lines
3.6 KiB
Plaintext
(*
|
|
Module: Access
|
|
Parses /etc/security/access.conf
|
|
|
|
Author: Lorenzo Dalrio <lorenzo.dalrio@gmail.com>
|
|
|
|
About: Reference
|
|
Some examples of valid entries can be found in access.conf or "man access.conf"
|
|
|
|
About: License
|
|
This file is licensed under the LGPL v2+, like the rest of Augeas.
|
|
|
|
About: Lens Usage
|
|
Sample usage of this lens in augtool
|
|
|
|
* Add a rule to permit login of all users from local sources (tty's, X, cron)
|
|
> set /files/etc/security/access.conf[0] +
|
|
> set /files/etc/security/access.conf[0]/user ALL
|
|
> set /files/etc/security/access.conf[0]/origin LOCAL
|
|
|
|
About: Configuration files
|
|
This lens applies to /etc/security/access.conf. See <filter>.
|
|
|
|
About: Examples
|
|
The <Test_Access> file contains various examples and tests.
|
|
*)
|
|
module Access =
|
|
autoload xfm
|
|
|
|
(* Group: Comments and empty lines *)
|
|
(* Variable: comment *)
|
|
let comment = Util.comment
|
|
(* Variable: empty *)
|
|
let empty = Util.empty
|
|
|
|
(* Group: Useful primitives *)
|
|
(* Variable: colon
|
|
* this is the standard field separator " : "
|
|
*)
|
|
let colon = del (Rx.opt_space . ":" . Rx.opt_space) " : "
|
|
|
|
|
|
(************************************************************************
|
|
* Group: ENTRY LINE
|
|
*************************************************************************)
|
|
(* View: access
|
|
* Allow (+) or deny (-) access
|
|
*)
|
|
let access = label "access" . store /[+-]/
|
|
|
|
(* Variable: identifier_re
|
|
Regex for user/group identifiers *)
|
|
let identifier_re = /[A-Za-z0-9_.\\-]+/
|
|
|
|
(* View: user_re
|
|
* Regex for user/netgroup fields
|
|
*)
|
|
let user_re = identifier_re - /[Ee][Xx][Cc][Ee][Pp][Tt]/
|
|
|
|
(* View: user
|
|
* user can be a username, username@hostname or a group
|
|
*)
|
|
let user = [ label "user"
|
|
. ( store user_re
|
|
| store Rx.word . Util.del_str "@"
|
|
. [ label "host" . store Rx.word ] ) ]
|
|
|
|
(* View: group
|
|
* Format is (GROUP)
|
|
*)
|
|
let group = [ label "group"
|
|
. Util.del_str "(" . store identifier_re . Util.del_str ")" ]
|
|
|
|
(* View: netgroup
|
|
* Format is @NETGROUP[@@NISDOMAIN]
|
|
*)
|
|
let netgroup =
|
|
[ label "netgroup" . Util.del_str "@" . store user_re
|
|
. [ label "nisdomain" . Util.del_str "@@" . store Rx.word ]? ]
|
|
|
|
(* View: user_list
|
|
* A list of users or netgroups to apply the rule to
|
|
*)
|
|
let user_list = Build.opt_list (user|group|netgroup) Sep.space
|
|
|
|
(* View: origin_list
|
|
* origin_list can be a single ipaddr/originname/domain/fqdn or a list of those values
|
|
*)
|
|
let origin_list =
|
|
let origin_re = Rx.no_spaces - /[Ee][Xx][Cc][Ee][Pp][Tt]/
|
|
in Build.opt_list [ label "origin" . store origin_re ] Sep.space
|
|
|
|
(* View: except
|
|
* The except operator makes it possible to write very compact rules.
|
|
*)
|
|
let except (lns:lens) = [ label "except" . Sep.space
|
|
. del /[Ee][Xx][Cc][Ee][Pp][Tt]/ "EXCEPT"
|
|
. Sep.space . lns ]
|
|
|
|
(* View: entry
|
|
* A valid entry line
|
|
* Definition:
|
|
* > entry ::= access ':' user ':' origin_list
|
|
*)
|
|
let entry = [ access . colon
|
|
. user_list
|
|
. (except user_list)?
|
|
. colon
|
|
. origin_list
|
|
. (except origin_list)?
|
|
. Util.eol ]
|
|
|
|
(************************************************************************
|
|
* Group: LENS & FILTER
|
|
*************************************************************************)
|
|
(* View: lns
|
|
The access.conf lens, any amount of
|
|
* <empty> lines
|
|
* <comments>
|
|
* <entry>
|
|
*)
|
|
let lns = (comment|empty|entry) *
|
|
|
|
(* Variable: filter *)
|
|
let filter = incl "/etc/security/access.conf"
|
|
|
|
(* xfm *)
|
|
let xfm = transform lns filter
|