((AllowUsers || AllowGroups) && !(AllowUsers && AllowGroups))
James Dennis
jdennis at law.harvard.edu
Sat Feb 15 05:46:55 EST 2003
Well, thats correct functionally with the code, but it doesn't follow
the intended use of the directive. It doesn't make sense to allow
someone access, then deny it later because of another directive.
I think instead of working towards denials, assuming a denial and
working towards allows might make more sense to prevent the allow and
deny directives from cancelling each other out.
if user is in denyusers
deny
if user group is in deny groups
deny
if #allowusers > 0 and user is in allowusers
put user on allow list
if #allowgroups > 0 user group is in allowgroups
put user on allow list
You can deny everyone, but explicitly allow people to override the deny
which is more ideal and more like expected functionality.
-James
Kevin Steves wrote:
> On Fri, Feb 14, 2003 at 01:12:41PM -0500, James Dennis wrote:
>
>>Kevin,
>>
>>I think the problem is the last line.
>>
>>
>>>> Condition blah haha root
>>>> AllowGroups users, AllowUsers root => no no no
>>
>>blah, haha, and root should all be able to login, but his table shows
>>that they actually cannot. I'm pretty sure thats not intended by your
>>description.
>>
>>
>>> if user in denyusers
>>> deny
>>
>>Shouldn't affect any of them.
>>
>>
>>> if #allowusers > 0 and user not in allowusers
>>> deny
>>
>>root is in AllowUsers so this shouldn't deny (Unless PermitRootLogin no?)
>
>
> blah and haha are denied here.
>
>
>>> if user group in deny groups
>>> deny
>>
>>Again, no deny directives so this shouldn't affect anyone.
>>
>>
>>> if #allowgroups > 0 and user group not in allowgroups
>>> deny
>>
>>blah and haha's group is in allow group so they shouldn't be denied.
>
>
> root is denied here.
>
--
James Dennis
Harvard Law School
"Not everything that counts can be counted,
and not everything that can be counted counts."
More information about the openssh-unix-dev
mailing list