Access is a program I wrote to handle a not-so-infrequent situation that
standard UNIX file permissions didn't seem to address, quite. Given a
set of users (e.g. students in a class) which are to be protected from
each other (can't read or destroy each other's homework, for example)
and one or more "senior" logins (e.g. the teacher of the class, TAs for
the class) arrange for these (individually protected from each other)
logins to all be accessible to the senior, administrative logins. The
senior logins aren't to be given root permissions. I couldn't figure a
way to do this with the standard UNIX permissions system, so I wrote the
following. It should be installed somewhere suid root (I'd make it owner
root, in a directory that isn't world writeable, mode 6711. The setgid
probably isn't necessary). It checks a file "/etc/accesstab" (shouldn't
be world writeable, right) for lines of the form

	regexp1:regexp2

If the requesting user's username matches regexp1, then a regsub is done
from that match onto regexp2, and the resulting pattern is matched
against the requested destination. If it matches, the program succeeds.
Otherwise, it fails. In behavior, it is about the same as su(1) with the
following differences:

	1) Doesn't require any password
	2) Requires a match in the accesstab file
	3) Changes to the login home directory of the requested user.

(3) above is possibly not appropriate; it turned out to be proper for
the use I had for it, and didn't seem to me to be a bad idea. You can
rip it out if you don't like it.

Caveats:  I am not sure that this isn't a serious breach of security;
I cannot think of a way to break it, but that doesn't mean it's
secure. Use at your own risk, and check it before you use it. This
critter explicitly kicks holes in the UNIX security system; don't use
it to give any logins access to privileged logins such as root, and
it probably shouldn't be used for any permanent project, only for
temporary undertakings. DON'T TRY TO USE IT IF YOU AREN'T COMPLETELY
COMFORTABLE WITH REGULAR EXPRESSIONS!!! Use completely explicit
regular expressions, to ensure no accidental matches; regular
expression metacharacters should only be used whete the logins have a
systematic format (such as class logins with a common format). A
reasonable use would be for a class with a teacher "deboss" with
class logins "cs00" - "cs49":

    deboss:cs[0-4][0-9]

Make sure that not only are all logins that should be permitted
matchable by the target, but that all patterns matchable by the
target are ones that are supposed to be reachable.

This program is built with Henry Spencer's V8-compatible regexp
library, from mod.sources. Get it. It's excellent.

This program was written and tested under System V (AT&T System V
Release 2.0.1 3B5 Version 2); as far as I know it should be portable to
most reasonably modern UNIXs.

-Bennett
