On Tue, 2012-11-06 at 14:00 -0500, Stephen Gallagher wrote: > On Tue 06 Nov 2012 01:54:46 PM EST, Dmitri Pal wrote: > > On 11/06/2012 01:45 PM, Simo Sorce wrote: > >> • If all lists are empty, access is granted > >> • If any list is provided, the order of evaluation is > >> allow,deny. This means that any matching deny rule will > >> supersede any matched allow rule. > >> • If either or both "allow" lists are provided, all > >> users are denied unless they appear in the list. > >> • If only "deny" lists are provided, all users are > >> granted access unless they appear in the list. > <snip> > > Following the first bullet in man page "if all lists are empty the > > access is granted". > > It works as advertised right? > > So I do not see why anything needs to be changed then. > > > > Yeah, that phrasing certainly seems to make it pretty clear that > 'simple_allow_users = ' is an empty list. I would prefer that we not > change the meaning of this because it *would* be a > backwards-incompatible change. This strikes me as something we could > stick in a FAQ somewhere: "Be wary if you are using automated tools to > generate this option. Specifying no values here is equivalent to > omitting the option entirely. If you really want to specify no users > are allowed, it's preferable to use 'access_provider = deny'."
Agreed, let's kill off this thread and the proposal. Sorry Ondrej and Stef, seem like changing this is just not desirable. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
