[tac_plus] Re: tac_plus enhancement
Kiss Gabor (Bitman)
kissg at ssg.ki.iif.hu
Tue Aug 14 07:01:32 UTC 2007
> > acl = local_switches {
> > permit = ...
> > }
> > group = green {
> > acl = local_switches
> > }
> > group = telnet_private {
> > cmd = telnet {
> > permit ^192\.168\.
> > }
> > }
> > user = chico {
> > member green
> > member telnet_private
> > }
> Any of these are good examples of what I mean. Take user chico. if chico:
> a) hits the implicit deny of local_switches, does it deny or go on to
> telnet_private?
In the current version I don't want to change the semantics of
existing configuration items. So implicit deny also terminates
searching. However I plan to introduce a new keyword along "permit" and
"deny" (e.g. "continue" or "return" or "dunno") that stops traversing
of current subtree (i.e. no further parent groups of current one
will be examined).
> b) if local_switches would explicitly accept/deny it, should it check
> telnet_private.
No. Explicit hit terminates searching immediately.
This behavior is compatible with current version of tac_plus.
Gabor
More information about the tac_plus
mailing list