((AllowUsers || AllowGroups) && !(AllowUsers && AllowGroups))
Thomas Binder
binder at arago.de
Sat Feb 15 06:11:45 EST 2003
Hi!
On Fri, Feb 14, 2003 at 01:46:55PM -0500, James Dennis wrote:
> Well, thats correct functionally with the code, but it doesn't
> follow the intended use of the directive. It doesn't make sense
> to allow someone access, then deny it later because of another
> directive.
Maybe something like Apache's "Satisfy"-directive would be a
solution (http://httpd.apache.org/docs/mod/core.html#satisfy),
e.g.
SatisfyAllow all -> user must be in both AllowGroup and AllowUsers
SatisfyAllow any -> user must be in AllowGroup or AllowUsers or
both
I don't know if "either" as a third option would make sense, i.e.
do not allow access if the user is in both AllowGroup and
AllowUsers.
"All" would be the default, providing the current behaviour.
Ciao
Thomas
More information about the openssh-unix-dev
mailing list