diff options
author | Daniel Silverstone <daniel.silverstone@codethink.co.uk> | 2012-09-07 14:29:43 +0100 |
---|---|---|
committer | Daniel Silverstone <daniel.silverstone@codethink.co.uk> | 2012-09-07 14:29:43 +0100 |
commit | fb652434121c382fc622845ec714c2a14f2fde58 (patch) | |
tree | 5454fa43967ebb883173057c5f45fb318b818824 /gitano-admin/rules/aschecks.lace | |
parent | 860ec2f6436ac7cba31969ab13f163c9fbe691d6 (diff) | |
download | trove-setup-fb652434121c382fc622845ec714c2a14f2fde58.tar.gz |
Initial ruleset and beginnings of gitano-admin overlay
Diffstat (limited to 'gitano-admin/rules/aschecks.lace')
-rw-r--r-- | gitano-admin/rules/aschecks.lace | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/gitano-admin/rules/aschecks.lace b/gitano-admin/rules/aschecks.lace new file mode 100644 index 0000000..2fb2ae6 --- /dev/null +++ b/gitano-admin/rules/aschecks.lace @@ -0,0 +1,14 @@ +# Rules for when we're running as another user. +# Only 'deny' things which are not allowed. +# If you 'allow' then it will allow the actual operation, not just +# fail to deny the fact that it's 'as' someone else. + +define as_is_admin as_group gitano-admin + +# ct-admin members are permitted to run sshkey and whoami on behalf of others +define as_is_ct_admin as_group ct-admin +define as_ct_admin_ok allof as_is_ct_admin op_self + +define as_is_ok anyof as_is_admin as_ct_admin_ok + +deny "You may not run things as another user unless you are an admin" !as_is_ok |