Re: Bug / oversight in kadmind handling of ACL_LIST

Mon, 09 Jun 2014 13:15:31 -0700 

On Jun 9, 2014, at 4:00 PM, Greg Hudson <ghud...@mit.edu> wrote:

> On 06/09/2014 03:11 PM, Jorj Bauer wrote:
>> src/kadmin/server/server_stubs.c has an oversight in the handling of 
>> ACL_LIST which prevents ACLs like this from functioning:
> 
> I think that is deliberate, not an oversight.  The argument to
> get_princs is a pattern, not a principal name; parsing it as a principal
> name and matching it against the ACL target pattern would have fuzzy
> semantics at best.
> 
> I do see that our documentation uses list permissions in an example with
> a target principal, which is deceptive.  We should be explicit that list
> permission is all or nothing.  I will file an issue.

Thanks. I'm slightly puzzled by the decision to make such a limitation, when 
one might actually have a use case for such an ACL, which is syntactically and 
semantically valid.

This comes up for us in a slightly larger context. We maintain a set of patches 
that allow regex against the right-hand side of that config file, so that we 
can do this:

        */kadmin-*@TEST.NET.ISC.UPENN.EDU       *       
*/*2$@TEST.NET.ISC.UPENN.EDU
        */kadmin-*@TEST.NET.ISC.UPENN.EDU       *       
*/kadmin-*2$@TEST.NET.ISC.UPENN.EDU

... which allows kadmins to manage their own sub-zones in the realm. Our 
decentralized IT works that way.

We have a similar use case for the RHS of list, which has the ability to list 
kadmins but not everything:

        foo/listpr...@test.net.isc.upenn.edu        l       
*/kadmin-*@TEST.NET.ISC.UPENN.EDU

... which is how we stumbled across this issue.

Of course, I'd like to see this underlying patch in place so that it doesn't 
break the 'list' case for us, but if it's deemed something that's not in the 
best interests of the project, so be it.

But if I can convince folks to be interested in the larger patch, I'll happily 
submit that in toto.

-- Jorj

-- 
Jorj Bauer
Manager of Engineering, Research and Development
Information Systems and Computing, University of Pennsylvania
215.746.3850
XMPP: j...@upenn.edu


________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to