On Wed, Nov 07, 2012 at 09:03:43AM -0500, Stephen Gallagher wrote:
On Wed 07 Nov 2012 05:07:14 AM EST, Ondrej Kos wrote:
>On 11/06/2012 11:07 PM, Dmitri Pal wrote:
>>On 11/06/2012 02:09 PM, Simo Sorce wrote:
>>>On Tue, 2012-11-06 at 14:00 -0500, Stephen Gallagher wrote:
>>>>On Tue 06 Nov 2012 01:54:46 PM EST, Dmitri Pal wrote:
>>>>>On 11/06/2012 01:45 PM, Simo Sorce wrote:
>>>>>> • If all lists are empty, access is granted
>>>>>> • If any list is provided, the order of
>>>>>>evaluation is
>>>>>> allow,deny. This means that any matching deny
>>>>>>rule will
>>>>>> supersede any matched allow rule.
>>>>>> • If either or both "allow" lists are
provided,
>>>>>>all
>>>>>> users are denied unless they appear in the
list.
>>>>>> • If only "deny" lists are provided,
all users are
>>>>>> granted access unless they appear in the list.
>>>><snip>
>>>>>Following the first bullet in man page "if all lists are empty
the
>>>>>access is granted".
>>>>>It works as advertised right?
>>>>>So I do not see why anything needs to be changed then.
>>>>>
>>>>Yeah, that phrasing certainly seems to make it pretty clear that
>>>>'simple_allow_users = ' is an empty list. I would prefer that we
not
>>>>change the meaning of this because it *would* be a
>>>>backwards-incompatible change. This strikes me as something we could
>>>>stick in a FAQ somewhere: "Be wary if you are using automated tools
to
>>>>generate this option. Specifying no values here is equivalent to
>>>>omitting the option entirely. If you really want to specify no users
>>>>are allowed, it's preferable to use 'access_provider =
deny'."
>>>Agreed, let's kill off this thread and the proposal.
>>>Sorry Ondrej and Stef, seem like changing this is just not desirable.
>>>
>>>Simo.
>>>
>>ack. IMO it should be just clarified in the man page.
>>
>patch for manpage attached
>
>O.
>
Ack
Pushed to master and sssd-1-9