diff options
| author | Jakob Kaivo <jkk@ung.org> | 2021-02-07 13:57:26 -0500 |
|---|---|---|
| committer | Jakob Kaivo <jkk@ung.org> | 2021-02-07 13:57:26 -0500 |
| commit | 72f77b8941d9a7cd3f625938c704c1e6c1dd75f3 (patch) | |
| tree | dcb5808ceda627a2aba45f36d4b7d6415ab12107 | |
| parent | 5e74f5da46dd78a239a2af7c8a71041f2c480d80 (diff) | |
add full precedence list
| -rw-r--r-- | README.md | 17 |
1 files changed, 17 insertions, 0 deletions
@@ -58,3 +58,20 @@ as to be most restrictive. In order from least to most: is executed. This is handled by PAM with the service name `privexec`. `deny` - The user is not permitted to execute the command. + +A user name match has higher precedence than a group match, and a match +containing a program name has higher precedence than a match without the +program name. So the total ordering of precedence (from least to most) is: + + authorized :group + authenticate :group + deny :group + authorized :group command + authenticate :group command + deny :group command + authorized user + authenticate user + deny user + authorized user command + authenticate user command + deny user command |