krb5 commit: Allow self-service for kadmin purgekeys RPC
Greg Hudson
ghudson at MIT.EDU
Fri Jul 19 18:14:56 EDT 2013
https://github.com/krb5/krb5/commit/9a735044d70304f22a013a81ab5c2901a64d3719
commit 9a735044d70304f22a013a81ab5c2901a64d3719
Author: Greg Hudson <ghudson at mit.edu>
Date: Fri Jul 19 10:08:08 2013 -0400
Allow self-service for kadmin purgekeys RPC
Make the purgekeys RPC allow self-service, like the chpass and chrand
RPCs.
ticket: 7681 (new)
src/kadmin/server/server_stubs.c | 7 ++++---
src/tests/t_kadmin_acl.py | 3 +++
2 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/src/kadmin/server/server_stubs.c b/src/kadmin/server/server_stubs.c
index 0de627f..eb50c2f 100644
--- a/src/kadmin/server/server_stubs.c
+++ b/src/kadmin/server/server_stubs.c
@@ -1579,9 +1579,10 @@ purgekeys_2_svc(purgekeys_arg *arg, struct svc_req *rqstp)
goto exit_func;
}
- if (CHANGEPW_SERVICE(rqstp)
- || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_MODIFY,
- arg->princ, NULL)) {
+ if (!cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ) &&
+ (CHANGEPW_SERVICE(rqstp)
+ || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_MODIFY,
+ arg->princ, NULL))) {
ret.code = KADM5_AUTH_MODIFY;
log_unauth(funcname, prime_arg, &client_name, &service_name, rqstp);
} else {
diff --git a/src/tests/t_kadmin_acl.py b/src/tests/t_kadmin_acl.py
index 1d7b1d0..32e57b8 100644
--- a/src/tests/t_kadmin_acl.py
+++ b/src/tests/t_kadmin_acl.py
@@ -260,6 +260,9 @@ if 'Operation requires ``modify\'\' privilege' not in out:
out = kadmin_as(some_modify, 'purgekeys unselected')
if 'Operation requires ``modify\'\' privilege' not in out:
fail('purgekeys failure (target)')
+out = kadmin_as(none, 'purgekeys none')
+if 'Old keys for principal "none at KRBTEST.COM" purged' not in out:
+ fail('purgekeys success (self exemption)')
delprinc('selected')
delprinc('unselected')
More information about the cvs-krb5
mailing list