-
Notifications
You must be signed in to change notification settings - Fork 0
/
access.conf.5
1740 lines (1482 loc) · 53.9 KB
/
access.conf.5
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
.Dd 24Jul2018
.Dt ACCESS.CONF 5
.Sh NAME
.Nm access.conf
.Nd master configuration file and rules for
.Xr access 8 .
.Sh DESCRIPTION
.Nm
defines default settings and rules for access, defines access behavior and setups environment. It defines new users or redefines existing ones. It's rules permit or deny local users to run commands, login as another users and much more beyond traditional privilege separation tools.
.Nm
consists of three sections: the defaults section which settings apply to any rule defined (if not overriden however by rule itself), virtual users section, which (re)defines users recognised by access or adds new ones, and rules section, which define what access must allow or deny, and how it should setup target environment.
.Nm
is a simple ASCII text file, but can contain Unicode or other character sets symbols. access does not interpret different character sets, and processes everything in 8-bit clean way.
Comments are traditional as with every other Unix program: line starting with '#' becomes a comment. However comment capabilities are limited: because target command line to be matched can include a '#' character, this character is not interpreted at arbitrary location, but only at beginning of a line.
Multiline shell style backslash escapes are understood. Any tab characters before and after them are removed. Spaces will be left intact.
access will work for superuser even if this file does not exist. For security reasons, access tests if this file is created by user other than superuser. If it is, access will refuse to operate even if run by superuser, to draw attention to the problem. If file is not found when access is run by unprivileged user, access will also refuse to run and will display a diagnostic message.
.Sh GENERAL SYNTAX
Each specification line is started with
.Sq %
sign at the beginning of a line, followed immediately by a special reserved keyword.
These are keywords which
.Sy access
understands:
.Dq %set ,
.Dq %unset
- controls access internal state, defines user variables;
.Dq %user
- defines or redefines virtual users.
.Dq %setenv
- overrides environment variables,
.Dq %unsetenv
- removes environment variables from invoker environment, and undefines overriden ones,
.Dq %delenv
- just removes definition that is internally defined,
.Dq %keepenv
- defines a environment variable which must be preserved.
Special
.Dq %rules
keyword explicitly breaks parsing of defaults and starts parsing rules section from next line. This is needed if you have settings which share the invisible defaults-rules border. Without it, your possibly first rule specific settings will apply to defaults instead.
Inside rules section a
.Dq %inc
is accepted: it includes other configuration files and accepts wildcards. Thus,
.Dq %inc /etc/access.d/*.conf
instructs access to include all another rules from
.Pa /etc/access.d
directory.
Each specification accepts one or more required arguments of different syntax. The syntax for these arguments is described later in this manual. Arguments are divided by spaces.
Rules in rules section do not start with a specific keyword. Instead, they are specified as is: one rule per line. The syntax for rules is to be described in
.Sx RULES SECTION
below.
Any section can be omitted completely, or entire file can be empty.
Invalid, malformed or syntactically incorrect lines are ignored (they are parsed however, and everything valid until error is accepted and applied). However, there are places where an error can be generated instead of silent ignore.
.Em It is a duty of a system administrator (superuser) to write proper and valid configuration.
access does not check validity of configuration file, and does not include a tool to test validity of
.Nm .
.Sh DEFAULTS SECTION
Each default setting is defined by a
.Dq %set
keyword at beginning of line.
.Dq %set
accepts only one argument: either a
.Dq flag
without any argument,
.Dq setting=value
or
.Dq setting=[complexvalue]
settings specifiers.
.Dq %set
is limited to single
.Dq flag
- although rules lines permit to specify multiple flags in their
.Dq [flags]
specifier, the limitation is intentional because in early versions of access, it was very confusing to learn that some flags specific to default section could not be specified in the list of ordinary rules flags, so it was like:
.Bd -literal -offset 8n
%set pwecho
%set pwinval
%set tty,+d,+D
.Ed
Now, you must do it like that:
.Bd -literal -offset 8n
%set pwecho
%set pwinval
%set tty
%set +d
%set +D
.Ed
, which is still not ideal, but at least clearer.
Here is a full list of accepted flags and settings that alter access defaults:
.Bl -tag -width indent
.It Va spath=secure path
Sets internal
.Em secure path
: a list of colon separated directories, from which only binaries are permitted to execute when cmdline does not include a full path to binary (attempt to
.Xr execvp 3
).
access searches for the binary by looking in every directory listed by
.Em spath ,
and if binary is not found, emits a not found error condition.
access also sets
.Ev PATH
environment variable from this setting when it runs a target program.
Default is
.Dq /bin:/sbin:/usr/bin:/usr/sbin
(can be changed in config.h)
.It Va supath=secure superuser path
Same as
.Va spath ,
but used only if destination user is superuser. Normal
.Va spath
can then contain only regular user directories such as
.Pa /bin ,
.Pa /usr/bin ,
.Pa /usr/local/bin ,
and
.Va supath
can contain paths such as
.Pa /sbin .
In most cases this is not needed, but this setting is provided to separate regular and superuser secure directories.
.It Va regex=[yes|no]
Enable regex matching of patterns. By default,
.Em access
does
.Xr fnmatch 3
matching of patterns (very lightweight regex subform). Setting this to
.Sq no
will reset it back to fnmatch. See
.Sx REGULAR EXPRESSIONS
section below for additional information.
.It Va regexusers=[yes|no]
Enable regex matching of user and group names which are specified in rules.
Classic matching is then turned off, matching is done entirely on the regex engine.
Format is kept as usual, the identifiers specified between
.Sq :
are matched. Grouplists are matched as whole: no parsing of individual group names is performed.
See
.Sx REGULAR EXPRESSIONS
section below for additional information.
.It Va fnmatch=[yes|no]
Enable fnmatch matching of patterns. This is default. Setting this to
.Sq no
will disable both regex and fnmatch matching and will use only simple compare matching.
.It Va delay=useconds
Delay for specified
.Em useconds
if invoker is made a mistake.
This completely blocks invoker's tty for this amount of time.
Default is
.Em 1000000
(1 second).
.It Va logfile=/path/to/access.log
Specifies alternate log file location at runtime. Log file is not created or appended when logging to syslog.
Default is
.Dq /var/log/access.log
(can be changed in config.h)
.It Va syslog
Do logging to syslog instead of to dedicated file.
.It Va fullinfo
Enable full information grabbing:
.Sy access
will now always remember invoker and new environment strings, as well as full invocation cmdline. Without this it is not possible to log base64 versions of cmdline and invoker's environ. Because invoker may supply arbitrarily long command line or environment block, it is not enabled by default to prevent builtin memory area hog. Most users will not need this at all anyway.
Note that this setting must be specified before any rules processing. It will not work from a rules section.
.It Va timefmt=str
Set internal time conversion format specifier. Human readable timestamps which appear in logs, format templates and environment variables supplied to helper programs will be formatted with
.Xr strftime 3
using this specifier. The default is
.Sq %c
.It Va logfmt=str
Set internal log format from a set of format templates. Any documented format templates are accepted, and user variables are parsed too.
See
.Sx FORMAT TEMPLATES
section for a list.
.It Va pwecho
Will cause access to display password typing progress in form of echoing back a masked 'x' character per each character of typed password. By default access acts as a
.Xr login 1
and
.Xr su 1
programs (which are likely to use
.Xr getpass 3
function): hide typed password and do not echo back any hints about it's length.
The behavior of
.Xr getpass 3
may be annoying: in cases when user needs to know that the password is actually gets typed (slow remote link connection, or when copy-pasting password from somewhere else).
.It Va prompt=str
Specifies alternate prompt when access asks invoker for password. It does not append any characters after, so this string will be written exactly to invoker tty. It can contain format templates inside, which are described in
.Sx FORMAT TEMPLATES
section.
Default is
.Dq Password:
.It Va denymsg=str
Specifies alternate deny message, displayed when invoker made a mistake. This message is written to invoker's tty just after specified
.Va delay ,
and access writes to log if specified and exits, returning error code.
Like
.Va prompt= ,
it supports
.Sx FORMAT TEMPLATES ,
so you can customise this error message in the same way.
Default is
.Dq Permission denied.
.It Va lockpath=str
Specifies full path to a directory where lock files are created, and lock file pattern itself.
Format templates are accepted and parsed here.
Default is
.Dq /var/run/%{srcuid}.access
which guarantees that single user cannot run access multiple times even if he has different groups in his grouplist or has different primary group membership.
.It Va umask=octal
Specify default umask to be set before target program run.
Default is
.Em 0022.
.It Va log
Do logging of every invoked command.
This is default.
.It Va -log
Turns off logging of invoked command.
.It Va logfail
Log failed attempts.
This is default.
.It Va -logfail
Do not log failed attempts.
.It Va minfd=int
Specify minimum fd from which closeall routine will start closing leakage file descriptors.
access prevents leaking any unused or forgot file descriptors from invoker environment (there maybe malicious usage of leaked fds).
.Op Fl C
can override this, if permitted.
By default, access starts from number
.Em 3
(omit standard fds).
.It Va maxfd=int
Specify maximum fd to which closeall routine will close leakage file descriptors.
By default, access asks system for a possible limit. This sets hard it explicitly and access stops asking system.
Specifying large values could result in slow starting of programs through access.
.It Va pw
Ask for
.Em invoker's
password.
On some platforms and systems, invoker can have a writable password or shadow file(s), and this setting can lead to privilege escalation.
This is default.
.It Va pw=hash
Per rule password replacement. If password is asked, it always matched with provided
.Em hash .
The hash can be either what system libc
.Xr crypt 3
accepts, or Skein internal one, generated with
.Dq access -c mkpwd ,
if Skein hash support was compiled in.
.It Va -pw
Do not ask any passwords, authentication successful if no other conditions are blocking.
.It Va dstpw
Ask for target user password.
.It Va supw
Ask for superuser password. Superuser's name is resolved by access at the very beginning.
.It Va false
Forces access to consider authentication failure. This can be useful in rules, not globally, to specify "always false" rules with wide user or cmdline wildcards. As an example, you can prevent accessing a "sda" disk device by most privileged user so he will not destroy data on it:
.Bd -literal -offset 8n
* * false,-pw,-log,-logfail *sda*
.Ed
.It Va pwinval
If access command line option
.Op Fl [X]
is banned with
.Va -[X]
and it does not require additional permission parameters to be set, then if this is specified,
permits invoker to reenter password to prove his identity. Then, sysadmin can configure what
password type must be asked by setting one of password flags listed above.
access defaults to banning any activity early if one of banned command line options is specified
by the invoker, denying him even to input a valid password, thus
.Va pwinval
degrades this ban to password level authentication. Note that
.Va -pw
flag will not have any effect there anymore if banned cmdline option state was triggered by invoker.
.It Va tty
Verify that invoker runs access from an existing terminal. If this is not a case (for example, access is invoked from a daemon), authentication will fail.
.It Va -tty
Do not verify invoker's tty state.
.It Va fromtty=/dev/tty
Specify a valid tty for which a test will be successful. For example, one can restrict privileged commands to ttys that are named as
.Dq /dev/tty* .
.It Va ttydt
Detach tty from target program, but still accept input. Prevents tty hijacking on vulnerable operating system kernels.
.It Va -ttydt
Do not detach tty from target program.
.It Va clearenv
Clear invoker provided environment and repopulate it with sensitive variables.
This is default.
.It Va userenv
Do not clear invoker provided environment and pass it over. However, replace or set sensitive variables.
.It Va keepenv
Try to keep every piece of invoker provided environment. Do not set sensitive variables. Dangerous variables (such as
.Ev PATH
and banned ones) are still reset or removed.
.It Va euid
.It Va egid
Enable setuid or setgid usage. This does not permit to set arbitrary ids, if not permitted by rules.
.It Va -euid
.It Va -egid
Disable setuid or setgid usage. Even if permitted by matching rule, setting euid != ruid will be denied. The same is with egid.
.It Va numid
Permit numeric user and group names (such as specifying
.Op Fl u Ar 1000
instead of specifying real user name which owns 1000 uid)
.It Va -numid
Disable numeric user and group names. This is default.
.It Va usronly
Disables setuid and setgid, numeric user and group names and specifying primary group and grouplists. In short, it disables
.Op Fl UgGsStTxX
options and permits only
.Op Fl u
option.
This flag does not have an opposite analog, but can be cancelled with others enabling specified features.
.It Va -usronly
Cancels any effects previously imposed by
.Va usronly .
.It -[X]
Disable usage of command line option
.Em X .
.It +[X]
Enable usage of command line option
.Em X .
.It -login
Synonym for
.Va -l ,
disables logins by using any of
.Op Fl Il .
.It Va -lock
By default, access creates a lock file for every uid running it, successfully or unsuccessfully. This disables lock file creation thus disables multiple running processes check.
.It Va warnusr
Give invoker a chance to analyze how a target program will be executed: access will display a message that warns invoker about what to be done, prints target resolved credentials (both ids and names):
.Bd -literal -offset 8n
You are about to execute this:
`id -u`,
as root(0),root(0):root(0),root(0)[root]
Continue?
.Ed
It will then wait for invoker confirmation where typing 'y' or 'Y' will confirm agreement and 'n' or 'N' as disagreement. Other characters and control codes are
.Em disabled
and if user will try to type something else, he will get a single hint about what to type in.
Note that disagreement means failure and likely result in log file entry.
.It Va -warnusr
Do not warn invoker about what to be done.
Note that some
.Dq %set
internal settings can be changed at any time doing
.Dq %set
again, while others are not (especially if these "settings" are really a functions behind the scene).
.It Va root=/chroot/dir
For use with
.Op Fl R ,
this flag permits chroot into specified directory. Without
.Op Fl R
it is not automatically performed, so invoker interaction is required.
Note:
.Dq %set +R
is mandatory to enable
.Op Fl R
usage.
.It Va dir=/change/dir
Like
.Va root
, but for use with
.Op Fl D
.It Va cwd=/current/dir
Match by current working directory.
.It Va taskprio=int
Change process priority to the value. This value will be taken as is by
.Xr setpriority 2 .
.It Va rlimit=rlimspec
Define (
.Sq %set
), or undefine (
.Sq %unset
) resource limit. All resource limits are to be set just before running target cmdline.
.Em rlimspec
is defined in format of:
.Dq nrlim:soft:hard ,
where
.Em nrlim
specifies number or symbolic name of resource limit (such as
.Dq RLIMIT_AS
),
.Em soft
is soft limit number, which user may raise up to
.Em hard
limit number. All numbers except number of resource limit may accept prefixes (for example, 4k will be translated to 4096).
.It Va blame=str
Append
.Dq str
to internal reason string. This string gets logged when invoker is insulted for invalid action, after all the data was recorded about invoker, destination user, environment etc., and comes last in log file entry. Appending
.Dq str
will enclose original access's reason string into parenthesis after
.Dq str
reason string. If
.Va denymsg=
default setting contains
.Va %{reason}
format template, then
.Em this reason string
is displayed to invoker in final deny message, not the internal one.
.It Va audit=cmdline
Specifies an
.Em external privileged program
which will be supplied with a very detailed information about access internals:
.Bl -bullet -compact
.It
.Ev ACCESS_PID
: contains process identifier number of access itself
.It
.Ev ACCESS_PPID
: contains process identifier of invoker (so you can mess with it by sending signals to it)
.It
.Ev ACCESS_DATETIME
: contains formatted date and time string in common
.Xr date 1
default format, as it goes into log by default, without
.Va loguts
default is set.
.It
.Ev ACCESS_TIMESTAMP
: contains invocation timestamp in raw Unix time format (seconds since Epoch)
.It
.Ev ACCESS_UID
: contains invoker uid
.It
.Ev ACCESS_USER
: contains invoker resolved user name
.It
.Ev ACCESS_GID
: contains invoker primary gid
.It
.Ev ACCESS_GROUP
: contains invoker resolved primary group name
.It
.Ev ACCESS_GIDS
: contains full list of invoker group ids in numeric form.
.It
.Ev ACCESS_GROUPS
: contains full list of invoker groups (grouplist with resolved names).
The list members are guaranteed to be in sync with
.Ev ACCESS_GIDS
list members, so that each n-th member from gids list matches n-th member from groups one.
.It
.Ev ACCESS_D_UID
: contains target uid
.It
.Ev ACCESS_D_EUID
: contains target effective uid
.It
.Ev ACCESS_D_USER
: contains target resolved user name
.It
.Ev ACCESS_D_EUSER
: contains target resolved effective user name
.It
.Ev ACCESS_D_GID
: contains target primary gid
.It
.Ev ACCESS_D_EGID
: contains target primary effective gid
.It
.Ev ACCESS_D_GROUP
: contains target resolved group name
.It
.Ev ACCESS_D_EGROUP
: contains target resolved effective group name
.It
.Ev ACCESS_D_GIDS
: contains full list of target group ids in numeric form.
.It
.Ev ACCESS_D_GROUPS
: contains full list of target groups (grouplist with resolved names).
The list members are guaranteed to be in sync with
.Ev ACCESS_D_GIDS
list members, so that each n-th member from gids list matches n-th member from groups one.
.It
.Ev ACCESS_FLAGS
: contains a copy of triggered rule flags part
.It
.Ev ACCESS_LINE
: contains a copy of triggered rule line
.It
.Ev ACCESS_CONF
: contains full filesystem path to a currently parsed config file
.It
.Ev ACCESS_LINE_NUMBER
: contains current rule line number
.It
.Ev ACCESS_MATCH_TYPE
: contains a fixed string of match algorithm used to detect the rule:
.Sq regex
means that regular expressions were used,
.Sq fnmatch
means that fnmatch basic matching was used,
.Sq strcmp
means that simple case sensitive string comparison was used.
.It
.Ev ACCESS_BINPATH
: contains full resolved path to a binary which is to be invoked. Safe path rules apply. Command line arguments are omitted. This variable will disappear if binary is not found within safe path (and will not be found during execution).
.It
.Ev ACCESS_CMDLINE
: contains full translated target command line, which is matched with rules cmdline parts.
It is better to parse ACCESS_ARGS starting from ACCESS_FIRST_ARG: the values in ACCESS_ARGS are guaranteed not to be interpreted in special ways (they are raw values). The value given there is a human readable string which should be shown in dialogs.
.It
.Ev ACCESS_HASHBANG
: in case when access is invoked from a "#!" header of Unix script, this variable contains a copy of first
.Em access
command line argument before it will be refined into separate parts.
.It
.Ev ACCESS_USERENV
: contains base64 string which encodes all environment variables that invoker passed to us
.It
.Ev ACCESS_ENVIRON
: contains base64 string which encodes target program environment
.It
.Ev ACCESS_FIRST_ARG
: contains a number index from which actual invoker/target command line starts (seeking to which you will skip all access command line options), counting from 0. It is useful together with ACCESS_ARGS to parse command line efficiently.
.It
.Ev ACCESS_ARGS
: contains base64 string which encodes all access command line arguments
.It
.Ev PATH
.It
.Ev ACCESS_PATH
: both contain the current
.Va spath
setting (but see note under this list).
.It
.Ev ACCESS_LOCKFILE
: contains a full path to uid lock file which is held when access is running. If
.Dq %set -lock
is applied, then this variable will contain "<unset>" static string.
.It
.Ev ACCESS_TTY
: contains path to invoker tty device. If no tty is associated, this variable will not exist.
.It
.Ev ACCESS_CWD
: contains current working directory which access recognises and uses in it's tests.
.It
.Ev ACCESS_CHDIR
: contains directory into which invoker tries to chdir with
.Op Fl d
or
.Op Fl D
after target privileges will be in effect. This variable will appear only when invoker told program
to change target directory with
.Op Fl d
or
.Op Fl D
options.
.It
.Ev ACCESS_USRDIR
: contains passwd db resolved user directory (usually named
.Dq home directory
), to which all the user configuration is written. It resembles contents of
.Ev HOME
environment variable in target user environment.
.It
.Ev ACCESS_CHROOT
: contains full path to directory into which invoker wants to chroot. This variable will disappear if invoker is denied to chroot, or if invoker did not specified chroot directory.
.It
.Ev ACCESS_USRSHELL
: contains a passwd db resolved path to shell executable which runs for user on login.
.Op Fl I
does not affect it's value.
.It
.Ev ACCESS_LOG
: if access logs to dedicated logfile, then it will contain full path to that logfile. This usually comes from
.Va logfile
setting. If syslog is used instead, then this variable will contain "<syslog>" static string.
.It
.Ev ACCESS_VERSION
: contains access version number in form of single, increasing version number. Because some conventions may vary, a version test and adaptation is encouraged for portable scripts and programs which work as auditors. This string is guaranteed to be static if same access binary is invoked.
.It
.Ev ACCESS_RSNFD
: contains an fd to pipe which roots from access master process. An auditor program, when deciding to reject the presented cmdline may write a short reason string of any format, no longer than 256 characters, without ending newline to this fd. access will read it and replace an internal reason string with this one completely, even writing it to logfile or syslog. Note that this only works when access is denied and no password will be asked further via special return codes.
If reason string begins with
.Dq <hide>:
prefix, then the final deny message
.Va denymsg=
or default builtin one will not be shown. Audit program can signal access this way not to show it's extra messages: audit program may blame user byself, and force access to shutup further.
It is normal not to write anything to this fd, either when audit is successful or not. If program will not write anything to the fd, a default builtin reason will be used instead.
.El
Note that PATH may differ from ACCESS_PATH here.
Different PATH for audit program can be specified with
.Va auditspath .
.Va cmdline
understands quoted arguments with spaces inside, which are translated as single argument, as well as other basic shell constructs like escaping these quotes and spaces.
This program must return 0 (by default) to permit running of target program, or any other value to deny the action. If logging is enabled, full command line of audit program, it's pid and return value are logged.
Special return values are reserved for audit program. When audit program returns them as a result, and
.Va auditret
is not set to them simultaneously, access interprets them specially.
.Bl -bullet -compact
.It
.Va 254
: access sets
.Va pw
flag internally when it sees this return value, even if
.Va -pw
was previously in effect. Then asks invoker for his own password.
.It
.Va 253
: access sets
.Va dstpw,pw
flags internally when it sees this return value, even if
.Va -pw
was previously in effect. Then asks invoker for a target user password.
.It
.Va 252
: access sets
.Va supw,pw
flags internally when it sees this return value, even if
.Va -pw
was previously in effect. Then asks invoker for a superuser password.
.El
The program is not limited from invoker interaction, but most tty signals are blocked during it's run. access also waits for return value of this program and will never
.Dq timeout
or otherwise try to interrupt audit program. Audit program is considered as a access companion: it receives same superuser permissions and protection as access itself.
.It Va auditspath=audit safe path
This is same as
.Va spath ,
but applies safe
.Ev PATH
variable to audit and password asking programs only. Without that, they inherit
.Va spath
setting, which might be inappropriate if
.Va spath
is wide enough to include duplicate programs and scripts.
.It Va auditret=int
Specifies audit program return value which will be considered as success. Other values will be treated as failure. Default value is 0. Unsetting it will reset the value to default.
.It Va pwask=cmdline
access can be configured to delegate password asking routine to external program. Such program may display a nice GUI dialog, block the user from interacting with desktop, grab keyboard and mouse and force it to be active only within this dialog etc. Such tasks are not a part of access: access only provides a way to safely ask for password within a user's terminal, which today, unfortunately, is not a default user interface.
The program executed by access runs as superuser, receives the protection same to access program itself at runtime, so it cannot be killed by unprivileged user or tampered with to try to gain access. If you wish no to run a complex code as superuser, you may wrap it into a small shell script which will respawn it again using access itself as other (dedicated) unprivileged user:
.Bd -literal -offset 8n
#!/bin/access -C -e PATH=/bin:/sbin -u nobody -- /bin/sh
exec /sbin/pwaskprogram args ...
.Ed
access sets these environment variables that are available to password asking program:
.Bl -bullet -compact
.It
.Ev PATH
: contains a
.Va spath=
value, which is overriden by
.Va %set auditspath=
one, if it was set previously.
.It
.Ev ACCESS_PWDFD
: this
.Xr pipe 2
fd end listens for password which user had typed. The program
.Sy must
write the password to this fd when it considers that reading was successful. When password asking program detects an abnormal user behavior (or other, possibly system error), it may write a reason string to this fd instead, describing why reading was unsuccessful. In this case, it must exit with a nonzero status.
.It
.Ev ACCESS_PROMPT
: contains a (parsed)
.Va prompt=
string. This value can be used by program to display it to user, so user will understand where this dialog came from and why.
.It
.Ev ACCESS_UID
: contains invoker uid
.It
.Ev ACCESS_USER
: contains invoker resolved user name
.It
.Ev ACCESS_GID
: contains invoker primary gid
.It
.Ev ACCESS_GROUP
: contains invoker resolved primary group name
.It
.Ev ACCESS_GIDS
: contains full list of invoker group ids in numeric form.
.It
.Ev ACCESS_GROUPS
: contains full list of invoker groups (grouplist with resolved names).
The list members are guaranteed to be in sync with
.Ev ACCESS_GIDS
list members, so that each n-th member from gids list matches n-th member from groups one.
.It
.Ev ACCESS_D_UID
: contains target uid
.It
.Ev ACCESS_D_EUID
: contains target effective uid
.It
.Ev ACCESS_D_USER
: contains target resolved user name
.It
.Ev ACCESS_D_EUSER
: contains target resolved effective user name
.It
.Ev ACCESS_D_GID
: contains target primary gid
.It
.Ev ACCESS_D_EGID
: contains target primary effective gid
.It
.Ev ACCESS_D_GROUP
: contains target resolved group name
.It
.Ev ACCESS_D_EGROUP
: contains target resolved effective group name
.It
.Ev ACCESS_D_GIDS
: contains full list of target group ids in numeric form.
.It
.Ev ACCESS_D_GROUPS
: contains full list of target groups (grouplist with resolved names).
The list members are guaranteed to be in sync with
.Ev ACCESS_D_GIDS
list members, so that each n-th member from gids list matches n-th member from groups one.
.It
.Ev ACCESS_PWUSR
: contains a user name for which password hash was retrieved and now it's verified for.
.It
.Ev ACCESS_USERENV
: contains base64 string which encodes all environment variables that invoker passed to us. It's needed only to help GUI programs like
.Dq pinentry
family to find out what is their X11
.Ev DISPLAY
variable to display their dialog finely. Some other programs may require tty's
.Ev TERM
variable to make all the controls interpreted correctly. There maybe others set by user, which are not interpreted by access in any way.
.El
.Sy IMPORTANT:
If password asking program does not respond (so it does not write anything to provided pipe fd), or this fd was accidentially closed, then access interprets an empty C string as a password, passing it to internal
.Xr crypt 3
wrapper as is. If password hash to be compared is made from an empty C string, then access will be granted. In most situations this will not happen. An empty hash input is not considered as an empty password, so empty passwords are safe to be an always /bin/false style short-circuits within access scope.
Password length must not exceed 256 characters.
Because of protocol style imposed by access, you almost always will need a shell script wrapper to wrap your password asking programs into input expected by access. Depending on design decisions of programs you use it maybe very easy or very hard to implement. Although the protocol used by access is simple and trusted, author had seen password asking programs which are pure mess and should be way more simpler and more Unix oriented, really.
.It Va blamecmd=cmdline
This cmdline gets executed as superuser when
.Sy access
had already decided that invoker has no access.
It is designed only to display a message (possibly as a GUI message box as an example) that access would write into invoker's stdout instead. It cannot cancel the access's decision at this point.
It is supplied with identical set of variables which
.Va audit=
program receives plus these environment variables:
.Bl -bullet -compact
.It
.Ev ACCESS_DENYMSG
: contains parsed denymsg string, which the program should display to invoker.
.El
.Sh DEFINING ENVIRONMENT VARIABLES
.Sy access
allows user to set their own environment variables with
.Op Fl e
option, but only if this option was allowed to use with
.Dq %set +e
or in individual matching rule flags.
To control user's intentions in a reasonable limits, access gives an ability to set, unset or alter environment variables explicitly from configuration file. access also carries a predefined lists of
.Em trusted
and
.Em banned
environment variables: those which may and must never (respectively) appear in a invoker environment. access does not punish for their presence, it just removes them (sanitises source environ) before a target program will get the control.
.Dq %setenv
accepts a
.Em single
environment variable. The syntax is:
.Dq %setenv NAME=VALUE ,
where
.Em NAME
is a environment variable name, and
.Em VALUE
is it's value which may contain any characters you wish, including space.
.Em VALUE
may also include format templates and user defined variables. Please see
.Sx FORMAT TEMPLATES
and
.Sx USER VARIABLES
sections for detailed explanations.
The variable will be in effect until it will be explicitly removed by
.Dq %unsetenv .
.Em User cannot remove such variable manually with
.Op Fl e .
.Dq %unsetenv
accepts a name of environment variable to remove. The syntax is:
.Dq %unsetenv SPEC ,
where
.Em SPEC
is a name of environment variable, or
.Xr fnmatch 3
pattern.
It will unset (remove) any previously defined environment variables with
.Dq %setenv ,
and any matching environment variable found in invoker's environ.
.Dq %delenv
accepts a name of previously defined environment variable.
It does not remove any really existing environment variables from source environment,
rather, it operates on the internal structures. The syntax is:
.Dq %delenv SPEC ,
where
.Em SPEC
is a name of environment variable, or
.Xr fnmatch 3
pattern.
.Dq %keepenv
defines a new environment variable which, if found in invoker's environ, will be
preserved across the borders and set inside target environ. The syntax is:
.Dq %keepenv NAME .
.Sh VIRTUAL USERS SECTION
It follows after
.Sx DEFAULTS SECTION
and each line in this section is started by
.Dq %user
keyword.
There are two versions of input arguments for
.Dq %user
specificator: old syntax with format of simple
.Dq name $U$salt$hash ,
and new syntax, which format is
.Dq name:$U$salt$hash:uid:gid:udir:shell .
Old format just replaces
.Em name
\'s password hash with given value.
New format defines completely new virtual user or redefines an existing one: new password hash, uid, gid, user directory and shell are initialized from the given values and used across the whole runtime of access.
For example, if in
.Pa /etc/passwd ,
there is a line:
.Bd -literal -offset 8n
test:x:9999:9999:test user:/tmp:/bin/sh
.Ed
, and
.Xr id 1
shows this about
.Em test
user:
.Bd -literal -offset 8n
% id test
uid=9999(test) gid=9999(test) groups=9999(test)
%
.Ed
, then, with this line in effect:
.Bd -literal -offset 8n
%user test:$U$salt$hash:1991:1886:/u/test:/bin/ksh
.Ed
, and you will be permitted to run programs as
.Em test ,
you will see this (assuming
.Va -pw
is set):
.Bd -literal -offset 8n
% id test
uid=9999(test) gid=9999(test) groups=9999(test)
% access -u test id
uid=1991 gid=1886 groups=1886
%
.Ed
This password, once set, virtually
.Dq replaces
any passwords provided by system, so new redefined password is always in high priority when resolving uid/user data, with both old and new syntax.
.Sh RULES SECTION
Rules section does not have a dedicated keyword for each rule. Instead, each rule is given within the following format:
.Bd -literal
[srcusr]:[srcgrp]:[srcgrps] [dstusr[,dsteusr]]:[dstgrp[,dstegrp]]:[dstgrps] flags cmdline ...
.Ed
.Ss srcusr part
srcusr part describes invoker identity to match with. Arbitrary names and numbers are accepted, except " " (space), "*" and ":" characters.
.Bl -bullet -compact
.It
.Va srcusr
: describe user name or uid
.It
.Va srcgrp
: describe primary group or gid
.It
.Va srcgrps
: describe a comma separated grouplist (both group names and gids).