krb5 commit: Check in kadm5.acl.man

Benjamin Kaduk kaduk at MIT.EDU
Tue Oct 16 18:15:25 EDT 2012 

https://github.com/krb5/krb5/commit/e15127e05f2b12bdd39940a1135cc1510e062aff
commit e15127e05f2b12bdd39940a1135cc1510e062aff
Author: Ben Kaduk <kaduk at mit.edu>
Date:   Tue Oct 16 16:07:16 2012 -0400

    Check in kadm5.acl.man
    
    Somehow this man page was overlooked, previously.

 src/man/kadm5.acl.man |  234 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 files changed, 234 insertions(+), 0 deletions(-)

diff --git a/src/man/kadm5.acl.man b/src/man/kadm5.acl.man
new file mode 100644
index 0000000..ec1da53
--- /dev/null
+++ b/src/man/kadm5.acl.man
@@ -0,0 +1,234 @@
+.TH "KADM5.ACL" "5" " " "0.0.1" "MIT Kerberos"
+.SH NAME
+kadm5.acl \- Kerberos ACL file
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.\" Man page generated from reStructuredText.
+.
+.SH DESCRIPTION
+.sp
+The Kerberos \fIkadmind(8)\fP daemon uses an Access Control List
+(ACL) file to manage access rights to the Kerberos database.
+For operations that affect principals, the ACL file also controls
+which principals can operate on which other principals.
+.sp
+The default location of the Kerberos ACL file is
+\fB at LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP  unless this is overridden by the \fIacl_file\fP
+variable in \fIkdc.conf(5)\fP.
+.SH SYNTAX
+.sp
+Empty lines and lines starting with the sharp sign (\fB#\fP) are
+ignored.  Lines containing ACL entries have the format:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+principal  permissions  [target_principal  [restrictions] ]
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.IP Note
+Line order in the ACL file is important.  The first matching entry
+will control access for an actor principal on a target principal.
+.RE
+.INDENT 0.0
+.TP
+.B \fIprincipal\fP
+(Partially or fully qualified Kerberos principal name.) Specifies
+the principal whose permissions are to be set.
+.sp
+Each component of the name may be wildcarded using the \fB*\fP
+character.
+.TP
+.B \fIpermissions\fP
+Specifies what operations may or may not be performed by a
+\fIprincipal\fP matching a particular entry.  This is a string of one or
+more of the following list of characters or their upper\-case
+counterparts.  If the character is \fIupper\-case\fP, then the operation
+is disallowed.  If the character is \fIlower\-case\fP, then the operation
+is permitted.
+.TS
+center;
+|l|l|.
+_
+T{
+a
+T}	T{
+[Dis]allows the addition of principals or policies
+T}
+_
+T{
+c
+T}	T{
+[Dis]allows the changing of passwords for principals
+T}
+_
+T{
+d
+T}	T{
+[Dis]allows the deletion of principals or policies
+T}
+_
+T{
+i
+T}	T{
+[Dis]allows inquiries about principals or policies
+T}
+_
+T{
+l
+T}	T{
+[Dis]allows the listing of principals or policies
+T}
+_
+T{
+m
+T}	T{
+[Dis]allows the modification of principals or policies
+T}
+_
+T{
+p
+T}	T{
+[Dis]allows the propagation of the principal database (used in \fIincr_db_prop\fP)
+T}
+_
+T{
+s
+T}	T{
+[Dis]allows the explicit setting of the key for a principal
+T}
+_
+T{
+x
+T}	T{
+Short for admcil. All privileges
+T}
+_
+T{
+*
+T}	T{
+Same as x.
+T}
+_
+.TE
+.TP
+.B \fItarget_principal\fP
+(Optional. Partially or fully qualified Kerberos principal name.)
+Specifies the principal on which \fIpermissions\fP may be applied.
+Each component of the name may be wildcarded using the \fB*\fP
+character.
+.sp
+\fItarget_principal\fP can also include back\-references to \fIprincipal\fP,
+in which \fB*number\fP matches the component number in \fIprincipal\fP.
+.TP
+.B \fIrestrictions\fP
+(Optional) A string of flags. Allowed restrictions are:
+.INDENT 7.0
+.INDENT 3.5
+.INDENT 0.0
+.TP
+.B {+|\-}\fIflagname\fP
+flag is forced to the indicated value.  The permissible flags
+are the same as the + and \- flags for the kadmin
+\fIadd_principal\fP and \fImodify_principal\fP commands.
+.TP
+.B \fI\-clearpolicy\fP
+policy is forced to be empty.
+.TP
+.B \fI\-policy pol\fP
+policy is forced to be \fIpol\fP.
+.TP
+.B \-{\fIexpire, pwexpire, maxlife, maxrenewlife\fP} \fItime\fP
+(\fIgetdate\fP string) associated value will be forced to
+MIN(\fItime\fP, requested value).
+.UNINDENT
+.UNINDENT
+.UNINDENT
+.sp
+The above flags act as restrictions on any add or modify operation
+which is allowed due to that ACL line.
+.UNINDENT
+.IP Warning
+If the kadmind ACL file is modified, the kadmind daemon needs to be
+restarted for changes to take effect.
+.RE
+.SH EXAMPLE
+.sp
+Here is an example of a kadm5.acl file.
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+*/admin at ATHENA.MIT.EDU        *                           # line 1
+joeadmin at ATHENA.MIT.EDU   ADMCIL                          # line 2
+joeadmin/*@ATHENA.MIT.EDU il  */root at ATHENA.MIT.EDU       # line 3
+*/root at ATHENA.MIT.EDU     cil *1 at ATHENA.MIT.EDU           # line 4
+*/*@ATHENA.MIT.EDU        i                               # line 5
+*/admin at EXAMPLE.COM       x   * \-maxlife 9h \-postdateable # line 6
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+(line 1) Any principal in the \fBATHENA.MIT.EDU\fP realm with
+an \fBadmin\fP instance has all administrative privileges.
+.sp
+(lines 1\-3) The user \fBjoeadmin\fP has all permissions with his
+\fBadmin\fP instance, \fBjoeadmin/admin at ATHENA.MIT.EDU\fP (matches line
+1).  He has no permissions at all with his null instance,
+\fBjoeadmin at ATHENA.MIT.EDU\fP (matches line 2).  His \fBroot\fP and other
+non\-\fBadmin\fP, non\-null instances (e.g., \fBextra\fP or \fBdbadmin\fP) have
+inquire and list permissions with any principal that has the
+instance \fBroot\fP (matches line 3).
+.sp
+(line 4) Any \fBroot\fP principal in \fBATHENA.MIT.EDU\fP can inquire, list,
+or change the password of their null instance, but not any other
+null instance.  (Here, "*1" denotes a back\-reference to the first
+component of the actor principal.)
+.sp
+(line 5) Any principal in the realm \fBATHENA.MIT.EDU\fP (except for
+\fBjoeadmin at ATHENA.MIT.EDU\fP, as mentioned above) has inquire
+privileges.
+.sp
+(line 6) Finally, any principal with an \fBadmin\fP instance in \fBEXAMPLE.COM\fP
+has all permissions, but any principal that they create or modify will
+not be able to get postdateable tickets or tickets with a life of
+longer than 9 hours.
+.SH SEE ALSO
+.sp
+\fIkdc.conf(5)\fP, \fIkadmind(8)\fP
+.SH AUTHOR
+MIT
+.SH COPYRIGHT
+2012, MIT
+.\" Generated by docutils manpage writer.
+.

More information about the cvs-krb5 mailing list