3 Parses /etc/security/access.conf
5 Author: Lorenzo Dalrio <lorenzo.dalrio@gmail.com>
8 Some examples of valid entries can be found in access.conf or "man access.conf"
11 This file is licensed under the LGPL v2+, like the rest of Augeas.
14 Sample usage of this lens in augtool
16 * Add a rule to permit login of all users from local sources (tty's, X, cron)
17 > set /files/etc/security/access.conf[0] +
18 > set /files/etc/security/access.conf[0]/user ALL
19 > set /files/etc/security/access.conf[0]/origin LOCAL
21 About: Configuration files
22 This lens applies to /etc/security/access.conf. See <filter>.
25 The <Test_Access> file contains various examples and tests.
30 (* Group: Comments and empty lines *)
31 (* Variable: comment *)
32 let comment = Util.comment
34 let empty = Util.empty
36 (* Group: Useful primitives *)
38 * this is the standard field separator " : "
40 let colon = del (Rx.opt_space . ":" . Rx.opt_space) " : "
43 (************************************************************************
45 *************************************************************************)
47 * Allow (+) or deny (-) access
49 let access = label "access" . store /[+-]/
51 (* Variable: identifier_re
52 Regex for user/group identifiers *)
53 let identifier_re = /[A-Za-z0-9_.\\-]+/
56 * Regex for user/netgroup fields
58 let user_re = identifier_re - /[Ee][Xx][Cc][Ee][Pp][Tt]/
61 * user can be a username, username@hostname or a group
63 let user = [ label "user"
65 | store Rx.word . Util.del_str "@"
66 . [ label "host" . store Rx.word ] ) ]
71 let group = [ label "group"
72 . Util.del_str "(" . store identifier_re . Util.del_str ")" ]
75 * Format is @NETGROUP[@@NISDOMAIN]
78 [ label "netgroup" . Util.del_str "@" . store user_re
79 . [ label "nisdomain" . Util.del_str "@@" . store Rx.word ]? ]
82 * A list of users or netgroups to apply the rule to
84 let user_list = Build.opt_list (user|group|netgroup) Sep.space
87 * origin_list can be a single ipaddr/originname/domain/fqdn or a list of those values
90 let origin_re = Rx.no_spaces - /[Ee][Xx][Cc][Ee][Pp][Tt]/
91 in Build.opt_list [ label "origin" . store origin_re ] Sep.space
94 * The except operator makes it possible to write very compact rules.
96 let except (lns:lens) = [ label "except" . Sep.space
97 . del /[Ee][Xx][Cc][Ee][Pp][Tt]/ "EXCEPT"
103 * > entry ::= access ':' user ':' origin_list
105 let entry = [ access . colon
107 . (except user_list)?
110 . (except origin_list)?
113 (************************************************************************
114 * Group: LENS & FILTER
115 *************************************************************************)
117 The access.conf lens, any amount of
122 let lns = (comment|empty|entry) *
124 (* Variable: filter *)
125 let filter = incl "/etc/security/access.conf"
128 let xfm = transform lns filter