blob: 2fb2ae6a2eabd2f8c884e5ece20bc47d62b00f63 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
# Rules for when we're running as another user.
# Only 'deny' things which are not allowed.
# If you 'allow' then it will allow the actual operation, not just
# fail to deny the fact that it's 'as' someone else.
define as_is_admin as_group gitano-admin
# ct-admin members are permitted to run sshkey and whoami on behalf of others
define as_is_ct_admin as_group ct-admin
define as_ct_admin_ok allof as_is_ct_admin op_self
define as_is_ok anyof as_is_admin as_ct_admin_ok
deny "You may not run things as another user unless you are an admin" !as_is_ok
|