> The access.conf that's shipped by default actually includes two examples, > the first of which does show the use of LOCAL.
Yes, but the first example doesn't have a catch-all line at the end For many people, it is tempting to have the final rule deny anything they haven't explicitly got on the white list > Also, if you're seeing this error then presumably you've added pam_access to > /etc/pam.d/common-account - so of course it's going to apply to all > services, and requires some thought about whether the rules it's applying > are correct for all services. That is correct - maybe I am paranoid, but I felt that just setting up pam_access would mean that there may be some other attack vector that remains open So, my attitude is to have a catch-all deny rule, and to invoke pam_access from common-account > I am unconvinced that any change to the example is actually warranted here; > but I would consider a patch if submitted. I agree there is probably no perfect solution that will suit all users of pam However, it might be nice to just add this line at the end of the sample: # All other users should be denied to get access from all sources. #- : ALL : ALL # As an alternative to the above, only apply the catch-all to # non-local users (otherwise su commands within scripts and # cron jobs may fail): #- : ALL : ALL EXCEPT LOCAL -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
