[krbdev.mit.edu #8154] kadmind ACL back-references can affect later lines
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Thu Mar 12 16:29:07 EDT 2015
In kadm5int_acl_find_entry(), the wildcard back-reference state is
initialized before the loop over the acl entries and not cleared for
each entry. As a result, any wildcards processed while an entry is
being checked will remain in the state structure. So, for example,
if the ACL file reads:
*/admin x
host/* i */*1
then *1 will refer to "host" (from the wildcard in the first line)
rather than the second component of the requesting principal.
(Wildcards are not processed if the realm or number of components
does not match, or if a previous component did not match, so the
above example is somewhat fragile. For instance, if the first line
were for admin/* instead of */admin, it wouldn't trip up the back-
reference in the second line because we wouldn't process the second-
component wildcard for a host principal.)
More information about the krb5-bugs
mailing list