ACCESS

Section: Misc. Reference Manual Pages (l)
Updated: 19 June 1988
Index Return to Main Contents
 

NAME

access - limit system usage to specified ttys and times  

SYNTAX

/usr/local/etc/access  

DESCRIPTION

Access provides a simple yet powerful method of limiting user access to a system. Simply specify /usr/local/etc/access in place of a login shell in the password file for each user who is to have restricted accessibility to a system. Access will lookup that user's entry in the control file /usr/local/lib/access and execute the specified real login shell (with optional arguments) if the current tty and time falls within one or more of the access constraints given.

Each entry in the control file has the form:

userspec [constraint1] [...[-]o[r] constraintN]
       full_pathname [args]

Blank lines are ignored, while `#' marks the start of a comment which continues to the end of the line. Entries may be continued by indenting continuation lines with whitespace (blanks or tabs). Entries are limited to a maximum of 1k characters.

Accessibility constraints limit the tty port and/or up to 6 accessibility classes of time. Accessibility constraints are composed of multiple specifications separated by spaces and/or tabs. Additional constraints may be specified by connecting them with the OR operator (see below).

Each specification within an accessibility constraint is composed of a letter (optionally preceded by `-') followed by the specification. They are as follows: 

        class   range   description
        -----   -----   -----------
        `t'             tty name restrictor
        `m'     0-59    minute restrictor
        `h'     0-23    hour restrictor
        `w'     0-6     day of week restrictor (0 = Sunday)
        `D'     1-31    day of month restrictor
        `M'     1-12    month restrictor
        `Y'     87-99   year restrictor
        `o[r]'          logical OR separator

Where an accessibility class is not specified within an accessibility constraint, no restriction will be applied to that class. For instance, if `m' does not appear within an accessibility constraint then accessibility will not be constrained by the current minute.

Numeric accessibility classes are specified with single values or a range of values separated by `-'. Multiple specifications may be given at one time separated by `,'. Any given class may appear more than once. The sense of any specific specification may be negated by `!' (or `^'). Further, `*' (or `@') may be used to indicate infinity. For example, each of the following are equivalent: "h0-23", "h*-23", "h0-*", "h*-*", "h*", "h0,1,2-10 h11-*".

The tty accessibility class is composed of one or more string segments, one of which must match the tail of the current tty's name. As with the numeric accessibility classes, "-,!^*@" are all supported.

The first entry in the control file, in which the current user's name is matched within the "userspec", will be the entry processed for that user. The "userspec" is composed of one or more full usernames, one of which must exactly match the current user's name. As with the numeric and tty accessibility classes, ",!^*@" are all supported. Note that ranges specified by `-' are NOT supported in the "userspec".  

EXAMPLES

joe h9-17 /bin/csh
Allow `joe' access only between 9AM and 5PM.

uucp,net ttya7 w1-5 h*,!9-17 or ttya0-ab w0,6
       /usr/lib/uucp/uucico

Allow `uucp' and `net' access on (/dev/t)tya7 weekdays except between 9AM and 5PM or on (/dev/t)tya0 thru (/dev/tty)ab (anytime) on weekends. Note the "*" is required in the hour specification. Otherwise, since "h" appeared - hours would be constrained, no unrestricted hours specified, then further constrained to not be between 9 and 17. In other words no hour would be acceptable and only the second accessibility constraint could possibly pass.

*,!root Y*-87 t*,!console or M*-9 Y88 t*,!console /bin/sh

Allow everyone access except `root' thru September 1988 on any tty except consoles. Note that if access is specified as `root's login shell as this example implies, then `root' must have an entry somewhere following this example entry. Alternately, `root' may have an entry before this one in which event the ",!root" would be extraneous since access would never get this far for user `root'.

uucp /usr/lib/uucp/uucico
* /bin/csh

Give `uucp' unrestricted access to `uucico' and everyone else unrestricted access to the `csh'. Effectively, access would not be doing anything. This would be one method of removing access constraints for everyone without changing the password file.
 

TESTING

If access is invoked from a shell then the access constraints will be derived from its arguments (do not specify the `userspec'). In place of actually executing the real login shell specified, that program's name and its argument vector will be displayed.  

INSTALLATION

Be sure to disable users ability to change their login shell and thereby defeat this control. For example, "chmod o-x /usr/ucb/chsh".  

SEE ALSO

Files: /etc/passwd and /usr/local/lib/access  

DIAGNOSTICS

If at least one accessibility constraint passes, the presence of access is invisible. If no accessibility constraint passes, then a message is issued and the user immediately logged off.  

AUTHOR

George M. Sipe currently (7/88) at rebel!george

 

Index

NAME
SYNTAX
DESCRIPTION
EXAMPLES
TESTING
INSTALLATION
SEE ALSO
DIAGNOSTICS
AUTHOR
This document was created by man2html, using the manual pages.
Time: 10:09:51 GMT, December 12, 2024