[Date Prev] [Date Index] [Date Next] [Thread Prev] [Thread Index] [Thread Next]
Bryan Stansell bryan@conserver.com
Thu, 4 Dec 2003 18:04:31 -0800 (PST)
On Thu, Dec 04, 2003 at 07:16:50PM -0500, Matt Selsky wrote: > We have many machines in our machine room, including machines which we > host for other departments. Those departments should only be able to > access their own machines. Our admin group should be able to access all > consoles. ok. sounds good. let's see what happens... i shrunk the config to one-liners and fixed the '*' entry...here's your original: > My config looks something like this: > > group finance { users abc123; } > group hr { users xyz321; } > group assisted_sysadmin { users finance; users hr; } > group admin { users *; users !assisted_sysadmin; } > default * { rw acis; } > console foo { rw finance, admin; ... } > > However, when I try this, finance and hr can't access their consoles. > They get a permission denied error. Is my config wrong or is this a > bug? at first, i thought it was a bug. but, after looking closer and tracing the code, i see that it isn't, believe it or not. here's why...i need to "walk backward" to explain it. console foo has 'rw finance, admin;'. makes sense. now, finance == 'abc123' so we expand it to 'rw abc123, admin;'. but, admin == '*, !assisted_sysadmin;' so we expand to 'rw abc123, *, !assisted_sysadmin;'. and, assisted_sysadmin == 'finance, hr;' and negating we get !assisted_sysadmin == '!finance, !hr', so... !assisted_sysadmin == '!abc123, !xyz321;' whew. the end result, therefore, is 'rw abc123, *, !abc123, !xyz321;' which is really 'rw *, !abc123, !xyz321;' because the !abc123 "overrides" the abc123. things later in the config file override always override the earlier things be it console definitions, defaults, group definitions, etc...top down, left to right. so, to get the result you're looking for, you'd want to put your more restrictive or important things after your less restrictive/important things (i'm not even sure if that makes sense, but hopefully you get the idea - think backwards of the way you were). which means one change - instead of 'finance, admin', you'd use: console foo { rw admin, finance; ... } that way the positive finance instance overrides the negative finance bits inside the admin group. i *think* all this makes sense and is working right, but if anyone sees a logic error, let me know. i was basically just following the code. ;-) Bryan