krb5 commit [krb5-1.14]: Fix kadmin min_life check with nonexistent policy

Tom Yu tlyu at mit.edu
Wed Jul 6 16:30:47 EDT 2016 

https://github.com/krb5/krb5/commit/ed725b8e0f43d8e6cf0ebe4eea89edabef1eba3d
commit ed725b8e0f43d8e6cf0ebe4eea89edabef1eba3d
Author: Greg Hudson <ghudson at mit.edu>
Date:   Wed Jun 8 00:00:55 2016 -0400

    Fix kadmin min_life check with nonexistent policy
    
    In kadmind, self-service key changes require a check against the
    policy's min_life field.  If the policy does not exist, this check
    should succeed according to the semantics introduced by ticket #7385.
    Fix check_min_life() to return 0 if kadm5_get_policy() returns
    KADM5_UNK_POLICY.  Reported by John Devitofranceschi.
    
    (cherry picked from commit 5fca279ca4d18f1b5798847a98e7df8737d2eb7c)
    
    ticket: 8427
    version_fixed: 1.14.3

 src/kadmin/server/misc.c |    4 +++-
 src/tests/t_policy.py    |    5 ++++-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/kadmin/server/misc.c b/src/kadmin/server/misc.c
index 192145c..27a6376 100644
--- a/src/kadmin/server/misc.c
+++ b/src/kadmin/server/misc.c
@@ -177,10 +177,12 @@ check_min_life(void *server_handle, krb5_principal principal,
     if(ret)
         return ret;
     if(princ.aux_attributes & KADM5_POLICY) {
+        /* Look up the policy.  If it doesn't exist, treat this principal as if
+         * it had no policy. */
         if((ret=kadm5_get_policy(handle->lhandle,
                                  princ.policy, &pol)) != KADM5_OK) {
             (void) kadm5_free_principal_ent(handle->lhandle, &princ);
-            return ret;
+            return (ret == KADM5_UNK_POLICY) ? 0 : ret;
         }
         if((now - princ.last_pwd_change) < pol.pw_min_life &&
            !(princ.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
diff --git a/src/tests/t_policy.py b/src/tests/t_policy.py
index 1fa5106..776de59 100755
--- a/src/tests/t_policy.py
+++ b/src/tests/t_policy.py
@@ -2,7 +2,7 @@
 from k5test import *
 import re
 
-realm = K5Realm(create_host=False)
+realm = K5Realm(create_host=False, start_kadmind=True)
 
 # Test password quality enforcement.
 realm.run([kadminl, 'addpol', '-minlength', '6', '-minclasses', '2', 'pwpol'])
@@ -39,6 +39,9 @@ if 'Policy: newpol [does not exist]\n' not in out:
 realm.run([kadminl, 'modprinc', '-policy', 'newpol', 'pwuser'])
 # pwuser should allow reuse of the current password since newpol doesn't exist.
 realm.run([kadminl, 'cpw', '-pw', '3rdpassword', 'pwuser'])
+# Regression test for #8427 (min_life check with nonexistent policy).
+realm.run([kadmin, '-p', 'pwuser', '-w', '3rdpassword', 'cpw', '-pw',
+           '3rdpassword', 'pwuser'])
 
 # Create newpol and verify that it is enforced.
 realm.run([kadminl, 'addpol', '-minlength', '3', 'newpol'])

More information about the cvs-krb5 mailing list