Hi folks,
(Please point me to another list if this is better suited elsewhere.)
src/kadmin/server/server_stubs.c has an oversight in the handling of ACL_LIST
which prevents ACLs like this from functioning:
foo/listpr...@test.example.com l
jorj/kadmin-test.example....@test.example.com
The oversight is that kadm5int_acl_check is never passed the target argument;
that means that either '*' matches everything, or it fails (even if you attempt
to query the given specific principal).
A simple patch corrects the behavior (this is against current master, but it's
easily backported to 1.11):
--- a/src/kadmin/server/server_stubs.c
+++ b/src/kadmin/server/server_stubs.c
@@ -737,6 +737,8 @@ get_princs_2_svc(gprincs_arg *arg, struct svc_req *rqstp)
kadm5_server_handle_t handle;
const char *errmsg = NULL;
+ krb5_principal kpr = NULL;
+
xdr_free(xdr_gprincs_ret, &ret);
if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
@@ -755,10 +757,12 @@ get_princs_2_svc(gprincs_arg *arg, struct svc_req *rqstp)
if (prime_arg == NULL)
prime_arg = "*";
+ /*kret = */ krb5_parse_name(handle->context, prime_arg, &kpr);
+
if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
rqst2name(rqstp),
ACL_LIST,
- NULL,
+ kpr,
NULL)) {
ret.code = KADM5_AUTH_LIST;
log_unauth("kadm5_get_principals", prime_arg,
@@ -777,6 +781,10 @@ get_princs_2_svc(gprincs_arg *arg, struct svc_req *rqstp)
krb5_free_error_message(handle->context, errmsg);
}
+
+ if (kpr)
+ krb5_free_principal((krb5_context) NULL, kpr);
+
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
exit_func:
The same fundamental code appears a second time in get_pols_2_svc.
-- Jorj
--
Jorj Bauer
Manager of Engineering, Research and Development
Information Systems and Computing, University of Pennsylvania
215.746.3850
XMPP: j...@upenn.edu
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
