krb5 commit: Make the kadm5.acl example sane

Benjamin Kaduk kaduk at MIT.EDU
Wed Oct 10 14:50:49 EDT 2012 

https://github.com/krb5/krb5/commit/45c43584beb6534ed0929fbc7240a0a2a9aad6dd
commit 45c43584beb6534ed0929fbc7240a0a2a9aad6dd
Author: Ben Kaduk <kaduk at mit.edu>
Date:   Thu Oct 4 18:00:07 2012 -0400

    Make the kadm5.acl example sane
    
    It is an eggregious security violation to give all admin principals
    admin rights and then give all null instances permission to change
    the password of the associated admin instance.
    
    While here, don't assume that admin and root are the only non-null
    instances, and correct the formatting of an entry with restrictions.

 doc/rst_source/krb_admins/conf_files/kadm5_acl.rst |   19 ++++++++++---------
 1 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/doc/rst_source/krb_admins/conf_files/kadm5_acl.rst b/doc/rst_source/krb_admins/conf_files/kadm5_acl.rst
index 5f28b7a..a02472e 100644
--- a/doc/rst_source/krb_admins/conf_files/kadm5_acl.rst
+++ b/doc/rst_source/krb_admins/conf_files/kadm5_acl.rst
@@ -101,9 +101,9 @@ Here is an example of a kadm5.acl file.
     */admin at ATHENA.MIT.EDU        *                           # line 1
     joeadmin at ATHENA.MIT.EDU   ADMCIL                          # line 2
     joeadmin/*@ATHENA.MIT.EDU il  */root at ATHENA.MIT.EDU       # line 3
-    *@ATHENA.MIT.EDU          cil *1/admin at ATHENA.MIT.EDU     # line 4
+    */root at ATHENA.MIT.EDU     cil *1 at ATHENA.MIT.EDU           # line 4
     */*@ATHENA.MIT.EDU        i                               # line 5
-    */admin at EXAMPLE.COM       * -maxlife 9h -postdateable     # line 6
+    */admin at EXAMPLE.COM       x   * -maxlife 9h -postdateable # line 6
 
 (line 1) Any principal in the ``ATHENA.MIT.EDU`` realm with
 an ``admin`` instance has all administrative privileges.
@@ -111,13 +111,14 @@ an ``admin`` instance has all administrative privileges.
 (lines 1-3) The user ``joeadmin`` has all permissions with his
 ``admin`` instance, ``joeadmin/admin at ATHENA.MIT.EDU`` (matches line
 1).  He has no permissions at all with his null instance,
-``joeadmin at ATHENA.MIT.EDU`` (matches line 2).  His root instance has
-inquire and list permissions with any other principal that has the
-instance root (matches line 3).
-
-(line 4) Any principal in ``ATHENA.MIT.EDU`` can inquire, list,
-or change the password of their ``admin`` instance, but not any other
-admin instance.  (Here, "\*1" denotes a back-reference to the first
+``joeadmin at ATHENA.MIT.EDU`` (matches line 2).  His ``root`` and other
+non-``admin``, non-null instances (e.g., ``extra`` or ``dbadmin``) have
+inquire and list permissions with any principal that has the
+instance ``root`` (matches line 3).
+
+(line 4) Any ``root`` principal in ``ATHENA.MIT.EDU`` can inquire, list,
+or change the password of their null instance, but not any other
+null instance.  (Here, "\*1" denotes a back-reference to the first
 component of the actor principal.)
 
 (line 5) Any principal in the realm ``ATHENA.MIT.EDU`` (except for

More information about the cvs-krb5 mailing list