mirror of
https://gitlab.archlinux.org/tpowa/archboot.git
synced 2024-09-20 03:50:37 +02:00
65 lines
2.4 KiB
Text
65 lines
2.4 KiB
Text
# Login access control table.
|
|
#
|
|
# When someone logs in, the table is scanned for the first entry that
|
|
# matches the (user, host) combination, or, in case of non-networked
|
|
# logins, the first entry that matches the (user, tty) combination. The
|
|
# permissions field of that table entry determines whether the login will
|
|
# be accepted or refused.
|
|
#
|
|
# Format of the login access control table is three fields separated by a
|
|
# ":" character:
|
|
#
|
|
# [Note, if you supply a 'fieldsep=|' argument to the pam_access.so
|
|
# module, you can change the field separation character to be
|
|
# '|'. This is useful for configurations where you are trying to use
|
|
# pam_access with X applications that provide PAM_TTY values that are
|
|
# the display variable like "host:0".]
|
|
#
|
|
# permission : users : origins
|
|
#
|
|
# The first field should be a "+" (access granted) or "-" (access denied)
|
|
# character.
|
|
#
|
|
# The second field should be a list of one or more login names, group
|
|
# names, or ALL (always matches). A pattern of the form user@host is
|
|
# matched when the login name matches the "user" part, and when the
|
|
# "host" part matches the local machine name.
|
|
#
|
|
# The third field should be a list of one or more tty names (for
|
|
# non-networked logins), host names, domain names (begin with "."), host
|
|
# addresses, internet network numbers (end with "."), ALL (always
|
|
# matches) or LOCAL (matches any string that does not contain a "."
|
|
# character).
|
|
#
|
|
# If you run NIS you can use @netgroupname in host or user patterns; this
|
|
# even works for @usergroup@@hostgroup patterns. Weird.
|
|
#
|
|
# The EXCEPT operator makes it possible to write very compact rules.
|
|
#
|
|
# The group file is searched only when a name does not match that of the
|
|
# logged-in user. Both the user's primary group is matched, as well as
|
|
# groups in which users are explicitly listed.
|
|
#
|
|
# TTY NAMES: Must be in the form returned by ttyname(3) less the initial
|
|
# "/dev" (e.g. tty1 or vc/1)
|
|
#
|
|
##############################################################################
|
|
#
|
|
# Disallow non-root logins on tty1
|
|
#
|
|
#-:ALL EXCEPT root:tty1
|
|
#
|
|
# Disallow console logins to all but a few accounts.
|
|
#
|
|
#-:ALL EXCEPT wheel shutdown sync:LOCAL
|
|
#
|
|
# Disallow non-local logins to privileged accounts (group wheel).
|
|
#
|
|
#-:wheel:ALL EXCEPT LOCAL .win.tue.nl
|
|
#
|
|
# Some accounts are not allowed to login from anywhere:
|
|
#
|
|
#-:wsbscaro wsbsecr wsbspac wsbsym wscosor wstaiwde:ALL
|
|
#
|
|
# All other accounts are allowed to login from anywhere.
|
|
#
|