Hi folks, (Please point me to another list if this is better suited elsewhere.)
src/kadmin/server/server_stubs.c has an oversight in the handling of ACL_LIST which prevents ACLs like this from functioning: foo/listpr...@test.example.com l jorj/kadmin-test.example....@test.example.com The oversight is that kadm5int_acl_check is never passed the target argument; that means that either '*' matches everything, or it fails (even if you attempt to query the given specific principal). A simple patch corrects the behavior (this is against current master, but it's easily backported to 1.11): --- a/src/kadmin/server/server_stubs.c +++ b/src/kadmin/server/server_stubs.c @@ -737,6 +737,8 @@ get_princs_2_svc(gprincs_arg *arg, struct svc_req *rqstp) kadm5_server_handle_t handle; const char *errmsg = NULL; + krb5_principal kpr = NULL; + xdr_free(xdr_gprincs_ret, &ret); if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle))) @@ -755,10 +757,12 @@ get_princs_2_svc(gprincs_arg *arg, struct svc_req *rqstp) if (prime_arg == NULL) prime_arg = "*"; + /*kret = */ krb5_parse_name(handle->context, prime_arg, &kpr); + if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_LIST, - NULL, + kpr, NULL)) { ret.code = KADM5_AUTH_LIST; log_unauth("kadm5_get_principals", prime_arg, @@ -777,6 +781,10 @@ get_princs_2_svc(gprincs_arg *arg, struct svc_req *rqstp) krb5_free_error_message(handle->context, errmsg); } + + if (kpr) + krb5_free_principal((krb5_context) NULL, kpr); + gss_release_buffer(&minor_stat, &client_name); gss_release_buffer(&minor_stat, &service_name); exit_func: The same fundamental code appears a second time in get_pols_2_svc. -- Jorj -- Jorj Bauer Manager of Engineering, Research and Development Information Systems and Computing, University of Pennsylvania 215.746.3850 XMPP: j...@upenn.edu ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos