summaryrefslogtreecommitdiff
path: root/share/gitano/skel/gitano-admin/rules/aschecks.lace
diff options
context:
space:
mode:
Diffstat (limited to 'share/gitano/skel/gitano-admin/rules/aschecks.lace')
-rw-r--r--share/gitano/skel/gitano-admin/rules/aschecks.lace30
1 files changed, 30 insertions, 0 deletions
diff --git a/share/gitano/skel/gitano-admin/rules/aschecks.lace b/share/gitano/skel/gitano-admin/rules/aschecks.lace
new file mode 100644
index 0000000..fc76440
--- /dev/null
+++ b/share/gitano/skel/gitano-admin/rules/aschecks.lace
@@ -0,0 +1,30 @@
+# _____
+# |_ _| __ _____ _____
+# | || '__/ _ \ \ / / _ \
+# | || | | (_) \ V / __/
+# |_||_| \___/ \_/ \___|
+#
+# Copyright 2012 Codethink Limited
+#
+# Rules for when we're running as another user.
+
+# Only 'deny' things which are not allowed. If you 'allow' then it will allow
+# the actual operation, not just fail to deny the fact that it's 'as' someone
+# else.
+
+define as_is_admin as_group gitano-admin
+
+# trove-admin members are permitted to run sshkey and whoami on behalf
+# of others in order to check users and grant access, providing the target
+# user is not part of the gitano-admin group.
+
+define as_is_trove_admin as_group trove-admin
+define as_trove_admin_ok allof as_is_trove_admin !is_admin op_self
+
+# You are permitted to do things 'as' others if and only if the caller is
+# either a member of the administration group, or else meets the above
+# requirements.
+define as_is_ok anyof as_is_admin as_trove_admin_ok
+
+# Explicitly deny any impersonation operation which does not meet the above.
+deny "You may not run things as another user unless you are an admin" !as_is_ok
View Lorry Controller Status