[tac_plus] Re: How can I deny/permit ?
Nathan Schrenk
nathan at schrenk.org
Fri Jan 30 21:56:30 UTC 2009
On 1/30/09, Alexander Czutka <aczutka at brocade.com> wrote:
>
> Hello Nathan,
>
>
>
> it doesn´t work.
>
What doesn't work? tac_plus doesn't print the same error message while
parsing the config file as it does without the quotes, does it?
I normally use a group and deny everything that is not explicitly allowed (a
command blacklist):
group = mygroup {
default service = deny
cmd = show {
permit "ip <cr>"
deny .*
}
}
user = myuser {
member = mygroup
login = cleartext "mypassword"
}
Nathan
user = user2 {
>
> # member = group2
>
> # debug = REGEX
>
> login = cleartext "user2"
>
> enable = cleartext "user2"
>
>
>
> cmd = show {
>
> permit ip
>
> deny "ip ospf"
>
> }
>
>
>
> # END
>
>
>
> Regards,
>
>
>
> Alexander
>
>
> ------------------------------
>
> *Von:* nschrenk at gmail.com [mailto:nschrenk at gmail.com] *Im Auftrag von *Nathan
> Schrenk
> *Gesendet:* Freitag, 30. Januar 2009 21:14
> *An:* Alexander Czutka
> *Cc:* tac_plus at shrubbery.net
> *Betreff:* Re: [tac_plus] How can I deny/permit ?
>
>
>
> On 1/30/09, *Alexander Czutka* <aczutka at brocade.com> wrote:
>
> Hello,
>
> I´m trying to setup an authorization for a user.
>
> The user should be allowed to do a:
>
> - Show ip
> - show ip route
>
> But he shouldn´t execute the commands, which starts with:
>
> - Show ip ospf
> - Show ip pim
>
> I tried this, but it didn´t work:
>
> cmd = show {
> permit ip
> deny ip ospf
> }
>
> root at ubuntu-fdry:/# tac_plus -C /etc/tac_plus.conf
> Error: expecting '}' but found 'ospf' on line 40
> root at ubuntu-fdry:/#
>
> Is this possible ?
>
>
> Try putting quotes around the tokens:
>
> cmd = show {
> permit ip
> deny "ip ospf"
> }
>
> Nathan
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/tac_plus/attachments/20090130/85f936b8/attachment.html
More information about the tac_plus
mailing list