Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Spaces in names in /etc/security/access.conf

1,827 views
Skip to first unread message

Laurent Blume

unread,
Aug 12, 2010, 4:30:02 AM8/12/10
to
Hello all,

I'm trying to restrict access in /etc/security/access.conf based on
group names which have spaces in them (Windows domains groups, in the
form DOMAIN+group of users). It already works for groups without a space.

I tried escaping with \ or quoting, but it didn't seem to work. Any idea
if/how that can be done?

Thanks,

Laurent


--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: http://lists.debian.org/4C63AEE2...@opensolaris.org

Camaleón

unread,
Aug 12, 2010, 7:20:02 AM8/12/10
to
On Thu, 12 Aug 2010 10:20:50 +0200, Laurent Blume wrote:

> I'm trying to restrict access in /etc/security/access.conf based on
> group names which have spaces in them (Windows domains groups, in the
> form DOMAIN+group of users). It already works for groups without a
> space.
>
> I tried escaping with \ or quoting, but it didn't seem to work. Any idea
> if/how that can be done?

Mmm, couldn't be that here apply the same restrictions as for usernames?

BTW, "man groupadd" says:

***
CAVEATS

It is usually recommended to only use usernames that begin with a lower
case letter or an underscore, and are only followed by lower case letters,
digits, underscores, dashes, and optionally terminated by a dollar sign.
In regular expression terms: [a-z_][a-z0-9_-]*[$]?

On Debian, the only constraints are that usernames must neither start
with a dash (´-´) nor contain a colon (´:´) or a whitespace (space:´ ´,
end of line: ´\n´, tabulation: ´\t´, etc.).

Groupnames may only be up to 32 characters long.

You may not add a NIS or LDAP group. This must be performed on the
corresponding server.

If the groupname already exists in an external group database such as NIS
or LDAP, groupadd will deny the group creation request.
***

P.S. That man page seems to have an error. When it reads "username" I
guess it should be "groupnames", instead :-?

Greetings,

--
Camaleón


--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Archive: http://lists.debian.org/pan.2010.08...@gmail.com

Laurent Blume

unread,
Aug 12, 2010, 10:10:03 AM8/12/10
to
Le 08/12/2010 01:09 PM, Camaleón a écrit :
> Mmm, couldn't be that here apply the same restrictions as for usernames?

Aha, I didn't know that it was so restrictive.
But actually, I'm lucky, I had read access.conf(5), but overlooked this
in pam_access(8), which specifically covers my case:

listsep=separators
This option modifies the list separator character that pam_access
will recognize when parsing the access configuration file. For
example: listsep=, will cause the default ‘ ´ (space) and ‘\t´
(tab) characters to be treated as part of a list element value and
‘,´ becomes the only list element separator. Doing this may be
useful on a system with group information obtained from a Windows
domain, where the default built-in groups "Domain Users", "Domain
Admins" contain a space.


Which proves once again if it was needed that one needs to always RTFM a
little bit more :-)

Thanks,

Laurent


--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Archive: http://lists.debian.org/4C63FE86...@opensolaris.org

Camaleón

unread,
Aug 12, 2010, 12:30:01 PM8/12/10
to
On Thu, 12 Aug 2010 16:00:38 +0200, Laurent Blume wrote:

> Le 08/12/2010 01:09 PM, Camaleón a écrit :
>> Mmm, couldn't be that here apply the same restrictions as for
>> usernames?
>
> Aha, I didn't know that it was so restrictive. But actually, I'm lucky,
> I had read access.conf(5), but overlooked this in pam_access(8), which
> specifically covers my case:
>
> listsep=separators

(...)

Ah... great! I take note of this.

> Which proves once again if it was needed that one needs to always RTFM a
> little bit more :-)

Better "RTCM" → Read The *Correct* Manual

And I'm afraid that also applies to me O:-)

Greetings,

--
Camaleón


--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Archive: http://lists.debian.org/pan.2010.08...@gmail.com

Laurent Blume

unread,
Aug 13, 2010, 12:20:02 PM8/13/10
to
Le 08/12/2010 06:25 PM, Camaleón a écrit :
> Better "RTCM" → Read The *Correct* Manual

Well, «Correct» is a stretch.

I just found out that you need to put *exactly* this as a pam_access
parameter:

listsep = ,

If you don't put the spaces (as in the manual's example), then the
content of access.conf will be silently ignored, and everybody be
allowed to log in.

The line there looks like this:

-:ALL EXCEPT root,(ldapgroup),(DOMAIN+windows users):ALL


Replacing the remaining spaces by commas also works, but doesn't appear
to be necessary.

Laurent


--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Archive: http://lists.debian.org/4C656FB5...@opensolaris.org

Laurent Blume

unread,
Aug 17, 2010, 10:10:01 AM8/17/10
to

Actually, I was wrong. Further testing shows that pam_access simply does
not work as advertised. Those Windows groups with spaces can't be used.
A similar configuration on CentOS does work.

Same with pam_listfile, which works on CentOS, doesn't on Debian. I'm
unsure where the problem is, Samba or PAM, and the logs are not very
helpful.

Laurent

Archive: http://lists.debian.org/4C6A97A4...@opensolaris.org

0 new messages