Hi Daniel, On Tue, Mar 06, 2012 at 11:39:04AM +0100, Daniel Pocock wrote: > I decided to try pam_access.so and access.conf on a system to improve > security
> I built my own access.conf based on the sample included in the package, > in particular, I ended my file with the same catch-all rule: > - : ALL : ALL > The next few days, I received errors from cron: > /etc/cron.daily/amavisd-new: > su: Permission denied > (Ignored) > I also had similar errors run running apt-get update on the machine > I've found that using a catch-all rule like this: > - : ALL : ALL EXCEPT LOCAL > may be more appropriate The access.conf that's shipped by default actually includes two examples, the first of which does show the use of LOCAL. Also, if you're seeing this error then presumably you've added pam_access to /etc/pam.d/common-account - so of course it's going to apply to all services, and requires some thought about whether the rules it's applying are correct for all services. I am unconvinced that any change to the example is actually warranted here; but I would consider a patch if submitted. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ [email protected] [email protected] -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
