[23886] in Source-Commits
/svn/athena r23496 - in trunk/debathena/config/linerva: debian files/etc/security
daemon@ATHENA.MIT.EDU (Evan Broder)
Sat Feb 28 19:42:33 2009
Date: Sat, 28 Feb 2009 19:41:42 -0500
From: Evan Broder <broder@MIT.EDU>
Message-Id: <200903010041.n210fgbI032134@drugstore.mit.edu>
To: source-commits@mit.edu
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Author: broder
Date: 2009-02-28 19:41:41 -0500 (Sat, 28 Feb 2009)
New Revision: 23496
Added:
trunk/debathena/config/linerva/files/etc/security/access.conf.debathena
Modified:
trunk/debathena/config/linerva/debian/changelog
Log:
In debathena-linerva:
* sync /etc/security/access.conf.debathena from linerva
Modified: trunk/debathena/config/linerva/debian/changelog
===================================================================
--- trunk/debathena/config/linerva/debian/changelog 2009-03-01 00:32:48 UTC (rev 23495)
+++ trunk/debathena/config/linerva/debian/changelog 2009-03-01 00:41:41 UTC (rev 23496)
@@ -1,5 +1,6 @@
debathena-linerva (1.13) unstable; urgency=low
+ [ Greg Price ]
* cut commented code
* EDIT_MOTD no longer exists in /etc/default/rcS
* use DEB_TRANSFORM_FILES rather than sed -i in postinst
@@ -8,8 +9,11 @@
* /etc/openafs/cacheinfo.debathena.debathena is no longer necessary
* motd: etch isn't new; also pull info out in format
- -- Greg Price <price@mit.edu> Sat, 28 Feb 2009 19:18:19 -0500
+ [ Evan Broder ]
+ * sync /etc/security/access.conf.debathena from linerva
+ -- Evan Broder <broder@mit.edu> Sat, 28 Feb 2009 19:40:44 -0500
+
debathena-linerva (1.12) unstable; urgency=low
* Remove DEB_AUTO_UPDATE_DEBIAN_CONTROL.
Added: trunk/debathena/config/linerva/files/etc/security/access.conf.debathena
===================================================================
--- trunk/debathena/config/linerva/files/etc/security/access.conf.debathena 2009-03-01 00:32:48 UTC (rev 23495)
+++ trunk/debathena/config/linerva/files/etc/security/access.conf.debathena 2009-03-01 00:41:41 UTC (rev 23496)
@@ -0,0 +1,89 @@
+# Login access control table.
+#
+# When someone logs in, the table is scanned for the first entry that
+# matches the (user, host) combination, or, in case of non-networked
+# logins, the first entry that matches the (user, tty) combination. The
+# permissions field of that table entry determines whether the login will
+# be accepted or refused.
+#
+# Format of the login access control table is three fields separated by a
+# ":" character:
+#
+# [Note, if you supply a 'fieldsep=|' argument to the pam_access.so
+# module, you can change the field separation character to be
+# '|'. This is useful for configurations where you are trying to use
+# pam_access with X applications that provide PAM_TTY values that are
+# the display variable like "host:0".]
+#
+# permission : users : origins
+#
+# The first field should be a "+" (access granted) or "-" (access denied)
+# character.
+#
+# The second field should be a list of one or more login names, group
+# names, or ALL (always matches). A pattern of the form user@host is
+# matched when the login name matches the "user" part, and when the
+# "host" part matches the local machine name.
+#
+# The third field should be a list of one or more tty names (for
+# non-networked logins), host names, domain names (begin with "."), host
+# addresses, internet network numbers (end with "."), ALL (always
+# matches) or LOCAL (matches any string that does not contain a "."
+# character).
+#
+# If you run NIS you can use @netgroupname in host or user patterns; this
+# even works for @usergroup@@hostgroup patterns. Weird.
+#
+# The EXCEPT operator makes it possible to write very compact rules.
+#
+# The group file is searched only when a name does not match that of the
+# logged-in user. Both the user's primary group is matched, as well as
+# groups in which users are explicitly listed.
+#
+# TTY NAMES: Must be in the form returned by ttyname(3) less the initial
+# "/dev" (e.g. tty1 or vc/1)
+#
+##############################################################################
+#
+# Disallow non-root logins on tty1
+#
+#-:ALL EXCEPT root:tty1
+#
+# Disallow console logins to all but a few accounts.
+#
+#-:ALL EXCEPT wheel shutdown sync:LOCAL
+#
+# Disallow non-local logins to privileged accounts (group wheel).
+#
+#-:wheel:ALL EXCEPT LOCAL .win.tue.nl
+#
+# Some accounts are not allowed to login from anywhere:
+#
+#-:wsbscaro wsbsecr wsbspac wsbsym wscosor wstaiwde:ALL
+#
+# All other accounts are allowed to login from anywhere.
+#
+
+#DEBATHENA BEGIN
+
+#DEBATHENA EXAMPLES
+## Only root and tabbott can log in.
+#-:ALL EXCEPT root tabbott:ALL
+## Only andersk and tabbott can log in remotely.
+#-:ALL EXCEPT andersk tabbott:ALL EXCEPT LOCAL
+## Only root and users in group gsipb can log in.
+#-:ALL EXCEPT root gsipb:ALL
+# Note that you can use Moira NFS groups here.
+# See <http://debathena.mit.edu/access-controls> for details.
+
+# DEFAULT: Only allow remote access for users who have local accounts
+# on the machine (i.e. are in /etc/passwd). Allow all other users to
+# login only locally.
+
+#-:ALL EXCEPT root nss-local-users:ALL EXCEPT LOCAL
+
+#DEBATHENA END
+
+# These are special accounts that you shouldn't be logging in with in
+# the first place
+-:moira finger cpw:ALL
