On Wed, Nov 05, 2008 at 10:58:43PM -0800, Jeremy Allison wrote: >>>>> "Jeremy" == Jeremy Allison <[EMAIL PROTECTED]> writes: >>>>> "Mike" == Mike Gallamore <[EMAIL PROTECTED]> writes:
Eric> Example 4: allow only hosts in NIS netgroup "foonet", but deny Eric> access from one particular host Eric> hosts allow = @foonet Eric> hosts deny = pirate Eric> This doesn't mention that every host but pirate will have Eric> access, not just those in @foonet. Eric> I see this as a bug but I wonder if I am missing something. Jeremy> I agree it's counter intuitive, but it does match the man Jeremy> pages for hosts.allow and hosts.deny, which the original Jeremy> code was based on. [excerpt from host_access manpages deleted] Jeremy> A non-existing access control file is treated as if Jeremy> it were an empty file. Thus, access control Jeremy> can be turned off by providing no access control files. Jeremy> So having a "hosts allow" but no "hosts deny" means the Jeremy> "hosts deny" is treated as an empty file (default deny I Jeremy> think). Once you define a "hosts deny" then the default Jeremy> changes to "allow", if you only want to restrict access to Jeremy> a specific hosts list then don't define a "hosts deny", Jeremy> just a "hosts allow". I guess the issue is you really Jeremy> don't need to have both defined (maybe we should log a Jeremy> warning in this case that the results may not be what you Jeremy> would expect). In a later message: Mike> I think something like a sudoers file would make since, ie Mike> no one gets access unless they are on the list. Suggestion: Mike> Perhaps host allow should be the only option. If access Mike> controls are enabled, people only get access if the host Mike> allow field is defined and if their name is on the list. Jeremy> Trouble is that would break existing setups. Nope, best Jeremy> thing we can do is add a warning (IMHO). I agree that changing behavior of hosts deny and host access would break too many existing setups. However, I would like to suggest the following: 1. Eliminate or correct Example 4 from the documentation. Perhaps add an example using EXCEPT. That's what I determined I needed because I wanted to exclude hosts that were in the 'hosts allow' netgroup I think what Example 4 should be Example 4: allow only hosts in NIS netgroup "foonet", but deny access from one particular host hosts allow = @foonet EXCEPT pirate 2. Add a warning or note that defining both 'hosts allow' and 'hosts deny' will lead to allowing everyone not in 'hosts deny'. That is, more hosts than those in 'hosts allow' will be allowed. -- Eric M. Boehm /"\ ASCII Ribbon Campaign [EMAIL PROTECTED] \ / No HTML or RTF in mail X No proprietary word-processing Respect Open Standards / \ files in mail -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba