svn rev #25709: branches/krb5-1-10/src/kadmin/server/
tlyu@MIT.EDU
tlyu at MIT.EDU
Tue Feb 21 23:11:56 EST 2012
http://src.mit.edu/fisheye/changelog/krb5/?cs=25709
Commit By: tlyu
Log Message:
ticket: 7093
version_fixed: 1.10.1
status: resolved
Pull up r25704 from trunk
------------------------------------------------------------------------
r25704 | ghudson | 2012-02-21 14:14:47 -0500 (Tue, 21 Feb 2012) | 15 lines
ticket: 7093
subject: Access controls for string RPCs [CVE-2012-1012]
target_version: 1.10.1
tags: pullup
In the kadmin protocol, make the access controls for
get_strings/set_string mirror those of get_principal/modify_principal.
Previously, anyone with global list privileges could get or modify
string attributes on any principal. The impact of this depends on how
generous the kadmind acl is with list permission and whether string
attributes are used in a deployment (nothing in the core code uses
them yet).
CVSSv2 vector: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:H/RL:O/RC:C
Changed Files:
U branches/krb5-1-10/src/kadmin/server/server_stubs.c
Modified: branches/krb5-1-10/src/kadmin/server/server_stubs.c
===================================================================
--- branches/krb5-1-10/src/kadmin/server/server_stubs.c 2012-02-22 04:11:51 UTC (rev 25708)
+++ branches/krb5-1-10/src/kadmin/server/server_stubs.c 2012-02-22 04:11:56 UTC (rev 25709)
@@ -1634,10 +1634,13 @@
goto exit_func;
}
- if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
- rqst2name(rqstp),
- ACL_LIST, NULL, NULL)) {
- ret.code = KADM5_AUTH_LIST;
+ if (! cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ) &&
+ (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
+ rqst2name(rqstp),
+ ACL_INQUIRE,
+ arg->princ,
+ NULL))) {
+ ret.code = KADM5_AUTH_GET;
log_unauth("kadm5_get_strings", prime_arg,
&client_name, &service_name, rqstp);
} else {
@@ -1690,10 +1693,10 @@
goto exit_func;
}
- if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
- rqst2name(rqstp),
- ACL_LIST, NULL, NULL)) {
- ret.code = KADM5_AUTH_LIST;
+ if (CHANGEPW_SERVICE(rqstp)
+ || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_MODIFY,
+ arg->princ, NULL)) {
+ ret.code = KADM5_AUTH_MODIFY;
log_unauth("kadm5_mod_strings", prime_arg,
&client_name, &service_name, rqstp);
} else {
More information about the cvs-krb5
mailing list