((AllowUsers || AllowGroups) && !(AllowUsers && AllowGroups))

Ben Lindstrom mouring at etoh.eviladmin.org
Sat Feb 15 08:48:30 EST 2003 

I think we are making this more complex than it really is.  The only valid
rules should be as such

If PermitRootLogin then
	goto Accepted # Damn it, if I state root is allowed, it damn well
			better be honored.

if DenyUser then
	goto Reject  # don't pass go don't collect 200

if AllowUser then
	goto Accepted # If we state they are allowed, honor it

If DenyGroup then
	goto Reject # If they are not allowed by AllowUser they are never

If AllowGroup then
	goto Accepted # We are stated they are allowed directly

if AllowUser > 0 || AllowGroup > 0 then
	goto Reject  # We have either allowed groups or allowed users, and
			they didn't pass.

Accepted:
	...
	return;

Rejected:
	...
	return;

There is no other sane way.. No stupid order issues (which sshd_config has
none to start with).  And allows for 'Reject by defualt, define allowed'
view.

Plus it allows for the other way around.  'Allow by default, reject if
not'

So it makes everyone happy.

The way it currently stands I doubt anyone is using allow{group,user}
at this moment.  Besides, personally if I say Yes I want root for any
reason to be allowed.  It damn well better honor it.  It implies
'AllowUser'.

Deny{User,Group} needs to be honored first because I think anyone stupid
enough to do:

AllowUser Foo
DenyUser Foo

should be shot.

I can see someone going.. "But this breaks DenyUser root".  Well tought,
if you don't want root, use the right option.

- Ben


On Fri, 14 Feb 2003, James Dennis wrote:

> I've thought about this a bit more and have changed my mind. I think
> everything should just be kept very simple to avoid apache-like
> configuration madness. Maybe Thomas's idea?
>
> If user is in denyusers
> 	deny
> if user is in allowusers
> 	allow
>
> report error if user is in both
>
> if user's group is in denygroups
> 	check status of either/and flag
> 	either and is in allowusers
> 		allow
> 	and
> 		deny
> if user's group is in allowgroups
> 	check status of either/and flag
> 	either
> 		allow
> 	and
> 		is in allowusers
> 			allow
> 		else
> 			deny
>
> report error if group is in both
>
> --
> James Dennis
> Harvard Law School
>
> "Not everything that counts can be counted,
> and not everything that can be counted counts."
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>

More information about the openssh-unix-dev mailing list