GNU cfengine
3.7 Access control
It is sometimes convenient to be able to restrict the access of a
program to a handful of users. This can be done by adding an access
list to the control: section of your program. For example,
| | control:
...
access = ( mark root )
|
would cause cfengine to refuse to run the program for any other users
except mark and root. Such a restriction would be useful, for instance,
if you intended to make set-user-id scripts but only wished certain
users to be able to run them. If the access list is absent, all users
can execute the program.
Note: if you are running cfagent via the cfrun program
then cfagent is always started with the same user identity as
the cfservd process on the remote host.
Normally this is the root user identity. This means that
the access keyword will have no effect on the use of
the command cfrun.
