((AllowUsers || AllowGroups) && !(AllowUsers && AllowGroups))
Dan Astoorian
djast at cs.toronto.edu
Sat Feb 15 06:28:13 EST 2003
On Fri, 14 Feb 2003 13:46:55 EST, James Dennis writes:
> Well, thats correct functionally with the code, but it doesn't follow
> the intended use of the directive. It doesn't make sense to allow
> someone access, then deny it later because of another directive.
That's not always the case. It might make sense to allow access to a
group, then deny access to a particular member user in that group. It
probably never makes sense to explicitly allow access to a user, then
deny access because that user is in a particular group.
It seems to me that the most explicit option should take precedence
(AllowUsers in preference to AllowGroups); perhaps something like
if user is in denyusers
deny
if user is in allowusers
permit
if user group is in denygroups
deny
if user group is in allowgroups
permit
if #allowusers > 0 or #allowgroups > 0
deny
permit
would make sense?
Related question: should it be considered an error to supply both an
AllowUsers and DenyUsers directive in the same configuration? If there
are any AllowUsers directives, (I think) the only way a DenyUsers
statement could have any effect at all would be if it named the same
user as an AllowUsers, which would be silly.
Likewise for AllowGroups and DenyGroups.
If not an error, should a warning be issued if these conditions is
detected?
--
Dan Astoorian People shouldn't think that it's better to have
Sysadmin, CSLab loved and lost than never loved at all. It's
djast at cs.toronto.edu not, it's better to have loved and won. All
www.cs.toronto.edu/~djast/ the other options really suck. --Dan Redican
More information about the openssh-unix-dev
mailing list