accessdb

accessdb [-m] [-v] [string ...]

-m
    Match mode: show only rules containing all specified strings (AND logic)

-v
    Verbose mode: include rule numbers, per-string match counts, and total rules examined

accessdb is a command-line utility for querying and displaying rules from the access control database file /etc/security/access.conf. This file configures login access restrictions via the PAM pam_access module, defining permissions based on user, group, host, tty, or time for origins like console, local, or remote networks.

By default, accessdb outputs all rules when invoked without arguments. Providing one or more string arguments filters the output to rules containing any of those strings (OR logic). The tool scans line-by-line, matching against user/group fields, origins, and comments.

It aids system administrators in auditing configurations, verifying permissions (e.g., for root logins), and troubleshooting denials without editing files. Output format mirrors the conf file for easy reading. Primarily used on systems with shadow passwords and PAM enabled, it's lightweight and doesn't modify the database.

Reads /etc/security/access.conf by default.
Example rule: +:wheel : LOCAL (allows wheel group local access).

accessdb root
Lists rules with 'root'.

accessdb -v -m root console
Verbose match for both strings.

Introduced in the early shadow password suite (1990s) alongside tools like passwd and groupadd. Evolved with PAM integration for flexible access control; maintained in shadow-utils package across major distros like RHEL, Debian.

access.conf(5), pam_access(8), faillog(8), lastlog(8)