Universal Control Server for UNIX - UACL Example

Universal Control Server for UNIX

The following set of rules permit services for the subnet 10.20.30 and denies all other connections unless an X.509 certificate is presented that maps to certificate ID operations.

uctl_access     10.20.30.,*,*,allow,auth
uctl_access     ALL,*,*,deny,auth

uctl_cert_access  operations,*,allow,auth
uctl_cert_access  *,*,deny,auth


When no certificate is presented that maps to a certificate ID, the following set of rules effectively permits connections from any host, but has limited access from host 10.20.30.40 to user TS1004 on that host.

  • No host can execute commands as local user root.
  • User TS1004 on host 10.20.30.40 can execute commands as local user tsup1004 without providing the password.
  • User TS1004 from host 10.20.30.40 can execute commands as any local user by providing the local user password.

When a certificate is presented that maps to a certificate ID, certificate ID joe can request local user id t*sup1004* without a password.

  • Certificate ID joe is allowed to execute commands with any other local user ID with a password.
  • Certificate ID operations cannot run anything.
  • All other certificate IDs can execute commands with any user ID except for root with a password.
uctl_access     10.20.30.40,TS1004,tsup1004,allow,noauth
uctl_access     10.20.30.40,TS1004,*,allow,auth
uctl_access     10.20.30.40,*,*,deny,auth
uctl_access     ALL,*,root,deny,auth

uctl_cert_access   joe,tsup1004,allow,noauth
uctl_cert_access   joe,*,allow,auth
uctl_cert_access   operations,*,deny,auth
uctl_cert_access   *,root,deny,auth

Components

Universal Control