diff options
Diffstat (limited to 'doc/usr-acl.texi')
-rw-r--r-- | doc/usr-acl.texi | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/doc/usr-acl.texi b/doc/usr-acl.texi new file mode 100644 index 0000000..1fd69f5 --- /dev/null +++ b/doc/usr-acl.texi @@ -0,0 +1,48 @@ +@c This is part of the Pies manual. +@c Copyright (C) 2009 Sergey Poznyakoff +@c This file is distributed under GFDL 1.1 or any later version +@c published by the Free Software Foundation. + + This appendix describes the @samp{user-group} extension for +@command{Pies} @acronym{ACL}s. This extension is reserved for +the future use. + +The @var{user-group} @acronym{ACL} statement specifies which +users match this entry. Allowed values are the following: + +@table @code +@kwindex all +@item all +All users. + +@kwindex authenticated +@item authenticated +Only authenticated users. + +@kwindex group +@item group @var{group-list} +Authenticated users which are members of at least one of groups listed in +@var{group-list}. +@end table + +For example, the following statement defines an @acronym{ACL} +which allows access for any user connected via local @acronym{UNIX} +socket @file{/tmp/dicod.sock} or coming from a local network +@samp{192.168.10.0/24}. Any authenticated users are allowed, provided +that they are allowed by another @acronym{ACL} @samp{my-nets} (which +should have been defined before this definition). Users coming from +the network @samp{10.10.0.0/24} are allowed if they authenticate +themselves and are members of groups @samp{pies} or @samp{users}. +Access is denied for anybody else: + +@smallexample +@group +acl @{ + allow all from ("/tmp/pies.sock", "192.168.10.0/24"); + allow authenticated acl "my-nets"; + allow group ("pies", "users") from "10.10.0.0/24"; + deny all; +@} +@end group +@end smallexample + |