From 27ba7a5982fbf43ae04b750c8327cbfa140a09ad Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Sat, 10 Dec 2011 14:03:26 -0600 Subject: [PATCH] Address code review comments (use .Xr and .Pa macros in krb5.conf.5) --- lib/krb5/krb5.conf.5 | 67 +++++++++++++++++++++++++++++++++------------------- 1 file changed, 43 insertions(+), 24 deletions(-) diff --git a/lib/krb5/krb5.conf.5 b/lib/krb5/krb5.conf.5 index 36469039d..8644a96f8 100644 --- a/lib/krb5/krb5.conf.5 +++ b/lib/krb5/krb5.conf.5 @@ -267,38 +267,57 @@ needed. This option is provided for compatibility with MIT krb5 configuration files. .It Li k5login_authoritative = Va boolean If true then if a principal is not found in k5login files then -krb5_userok() will not fallback on principal to username mapping. This -option is provided for compatibility with MIT krb5 configuration files. +.Xr krb5_userok 3 +will not fallback on principal to username mapping. This option is +provided for compatibility with MIT krb5 configuration files. .It Li kuserok = Va rule ... -Specifies krb5_kuserok(3) behavior. If multiple values are given, then -krb5_kuserok(3) will evaluate them in order until one succeeds or all -fail. Rules are implemented by plugins, with three built-in plugins +Specifies +.Xr krb5_userok 3 +behavior. If multiple values are given, then +.Xr krb5_userok 3 +will evaluate them in order until one succeeds or all fail. Rules are +implemented by plugins, with three built-in plugins described below. Default: USER-K5LOGIN SIMPLE DENY. .It Li kuserok = Va DENY -If set and evaluated then krb5_userok(3) will deny access to the given -username no matter what the principal name might be. +If set and evaluated then +.Xr krb5_userok 3 +will deny access to the given username no matter what the principal name +might be. .It Li kuserok = Va SIMPLE -If set and evaluated then krb5_userok(3) will use principal to username -mapping (see auth_to_local below). If the principal maps to the -requested username then access is allowed. +If set and evaluated then +.Xr krb5_userok 3 +will use principal to username mapping (see auth_to_local below). If +the principal maps to the requested username then access is allowed. .It Li kuserok = Va SYSTEM-K5LOGIN[:directory] -If set and evaluated then krb5_userok(3) will use k5login files named -after the +If set and evaluated then +.Xr krb5_userok 3 +will use k5login files named after the .Va luser -argument to krb5_kuserok(3) in the given directory or in -/etc/k5login.d/. If a directory is given then tokens will be expanded; -the %{luser} token will be replaced with the +argument to +.Xr krb5_userok 3 +in the given directory or in +.Pa /etc/k5login.d/ . +If a directory is given +then tokens will be expanded; the %{luser} token will be replaced with +the .Va luser -argument to krb5_kuserok(3). K5login files are text files, with each -line containing just a principal name; principals apearing in a user's -k5login file are permitted access to the user's account. Note: this rule -performs no ownership nor permissions checks on k5login files; proper -ownership and permissions/ACLs are expected due to the system k5login -location being a system location. +argument to +.Xr krb5_userok 3 . +K5login files are text files, with each line containing just a principal +name; principals apearing in a user's k5login file are permitted access +to the user's account. Note: this rule performs no ownership nor +permissions checks on k5login files; proper ownership and +permissions/ACLs are expected due to the system k5login location being a +system location. .It Li kuserok = Va USER-K5LOGIN -If set and evaluated then krb5_userok(3) will use ~luser/.k5login and -~luser/.k5login.d/*. User k5login files and directories must be owned by -the user and must not have world nor group write permissions. +If set and evaluated then +.Xr krb5_userok 3 +will use +.Pa ~luser/.k5login +and +.Pa ~luser/.k5login.d/* . +User k5login files and directories must be owned by the user and must +not have world nor group write permissions. .It Li aname2lname-text-db = Va filename The named file must be a sorted (in increasing order) text file where every line consists of an unparsed principal name optionally followed by -- 2.11.4.GIT