3 Parses /etc/security/access.conf
5 Author: Lorenzo Dalrio <lorenzo.dalrio@gmail.com>
8 Some examples of valid entries can be found in access.conf or "man access.conf"
11 This file is licensed under the LGPLv2+, like the rest of Augeas.
14 Sample usage of this lens in augtool
16 * Add a rule to permit login of all users from local sources (tty's, X, cron)
17 > set /files/etc/security/access.conf[0] +
18 > set /files/etc/security/access.conf[0]/user ALL
19 > set /files/etc/security/access.conf[0]/origin LOCAL
21 About: Configuration files
22 This lens applies to /etc/security/access.conf. See <filter>.
25 The <Test_Access> file contains various examples and tests.
30 (* Group: Comments and empty lines *)
31 (* Variable: comment *)
32 let comment = Util.comment
34 let empty = Util.empty
36 (* Group: Useful primitives *)
38 * this is the standard field separator " : "
40 let colon = del (Rx.opt_space . ":" . Rx.opt_space) " : "
43 (************************************************************************
45 *************************************************************************)
47 * Allow (+) or deny (-) access
49 let access = label "access" . store /[+-]/
52 * Regex for user/netgroup fields
54 let user_re = Rx.word - /[Ee][Xx][Cc][Ee][Pp][Tt]/
57 * user can be a username, username@hostname or a group
59 let user = [ label "user"
61 | store Rx.word . Util.del_str "@"
62 . [ label "host" . store Rx.word ] ) ]
67 let group = [ label "group"
68 . Util.del_str "(" . store Rx.word . Util.del_str ")" ]
71 * Format is @NETGROUP[@@NISDOMAIN]
74 [ label "netgroup" . Util.del_str "@" . store user_re
75 . [ label "nisdomain" . Util.del_str "@@" . store Rx.word ]? ]
78 * A list of users or netgroups to apply the rule to
80 let user_list = Build.opt_list (user|group|netgroup) Sep.space
83 * origin_list can be a single ipaddr/originname/domain/fqdn or a list of those values
86 let origin_re = Rx.no_spaces - /[Ee][Xx][Cc][Ee][Pp][Tt]/
87 in Build.opt_list [ label "origin" . store origin_re ] Sep.space
90 * The except operator makes it possible to write very compact rules.
92 let except (lns:lens) = [ label "except" . Sep.space
93 . del /[Ee][Xx][Cc][Ee][Pp][Tt]/ "EXCEPT"
99 * > entry ::= access ':' user ':' origin_list
101 let entry = [ access . colon
103 . (except user_list)?
106 . (except origin_list)?
109 (************************************************************************
110 * Group: LENS & FILTER
111 *************************************************************************)
113 The access.conf lens, any amount of
118 let lns = (comment|empty|entry) *
120 (* Variable: filter *)
121 let filter = incl "/etc/security/access.conf"
124 let xfm = transform lns filter