diff options
Diffstat (limited to 'gitano-admin/rules/aschecks.lace')
-rw-r--r-- | gitano-admin/rules/aschecks.lace | 30 |
1 files changed, 0 insertions, 30 deletions
diff --git a/gitano-admin/rules/aschecks.lace b/gitano-admin/rules/aschecks.lace deleted file mode 100644 index fc76440..0000000 --- a/gitano-admin/rules/aschecks.lace +++ /dev/null @@ -1,30 +0,0 @@ -# _____ -# |_ _| __ _____ _____ -# | || '__/ _ \ \ / / _ \ -# | || | | (_) \ V / __/ -# |_||_| \___/ \_/ \___| -# -# Copyright 2012 Codethink Limited -# -# Rules for when we're running as another user. - -# Only 'deny' things which are not allowed. If you 'allow' then it will allow -# the actual operation, not just fail to deny the fact that it's 'as' someone -# else. - -define as_is_admin as_group gitano-admin - -# trove-admin members are permitted to run sshkey and whoami on behalf -# of others in order to check users and grant access, providing the target -# user is not part of the gitano-admin group. - -define as_is_trove_admin as_group trove-admin -define as_trove_admin_ok allof as_is_trove_admin !is_admin op_self - -# You are permitted to do things 'as' others if and only if the caller is -# either a member of the administration group, or else meets the above -# requirements. -define as_is_ok anyof as_is_admin as_trove_admin_ok - -# Explicitly deny any impersonation operation which does not meet the above. -deny "You may not run things as another user unless you are an admin" !as_is_ok |