((AllowUsers || AllowGroups) && !(AllowUsers && AllowGroups))

Thomas Binder binder at arago.de
Sat Feb 15 06:11:45 EST 2003


Hi!

On Fri, Feb 14, 2003 at 01:46:55PM -0500, James Dennis wrote:
> Well, thats correct functionally with the code, but it doesn't
> follow the intended use of the directive. It doesn't make sense
> to allow someone access, then deny it later because of another
> directive.

Maybe something like Apache's "Satisfy"-directive would be a
solution (http://httpd.apache.org/docs/mod/core.html#satisfy),
e.g.

SatisfyAllow all -> user must be in both AllowGroup and AllowUsers

SatisfyAllow any -> user must be in AllowGroup or AllowUsers or
                    both

I don't know if "either" as a third option would make sense, i.e.
do not allow access if the user is in both AllowGroup and
AllowUsers.

"All" would be the default, providing the current behaviour.


Ciao

Thomas




More information about the openssh-unix-dev mailing list