[tac_plus] Re: Multiple groups, multiple ACL-s
Kiss Gabor (Bitman)
kissg at ssg.ki.iif.hu
Tue Mar 30 18:47:55 UTC 2010
> The problem is the following:
>
> userA can login on nasA but can issue only "show *" cmd
> userA can login on nasB but can issue only "ping *" cmd
> userA can login on nasC but can issue only "exit *" cmd
>
> It seems ACLs must be applied to cmd somehow but I do not know how.
>
> Is this possible with your patch? Is this possible with tac+ at all?
Do you think this?
user = userA {
member = nasA_show
member = nasB_ping
member = nasC_exit
...
}
group nasA_show {
acl = acl_nasA
member = cmd_show
}
acl = acl_nasA {
permit = <regexp of nasA address>
return = .*
}
group = cmd_show
cmd = show {
permit .*
}
}
...
Details at
http://www.shrubbery.net/pipermail/tac_plus/2007-August/000125.html
Gabor
More information about the tac_plus
mailing list