krb5 commit [krb5-1.13]: Fix kadmin min_life check with nonexistent policy

Tom Yu tlyu at mit.edu
Wed Jul 6 16:33:00 EDT 2016 

https://github.com/krb5/krb5/commit/736521cfa04cf30ab7a6d57a75b267eed90a6593
commit 736521cfa04cf30ab7a6d57a75b267eed90a6593
Author: Greg Hudson <ghudson at mit.edu>
Date:   Wed Jun 8 00:00:55 2016 -0400

    Fix kadmin min_life check with nonexistent policy
    
    In kadmind, self-service key changes require a check against the
    policy's min_life field.  If the policy does not exist, this check
    should succeed according to the semantics introduced by ticket #7385.
    Fix check_min_life() to return 0 if kadm5_get_policy() returns
    KADM5_UNK_POLICY.  Reported by John Devitofranceschi.
    
    (back ported from commit 5fca279ca4d18f1b5798847a98e7df8737d2eb7c)
    
    ticket: 8427
    version_fixed: 1.13.6
    tags: -pullup
    status: resolved

 src/kadmin/server/misc.c |    4 +++-
 src/tests/t_policy.py    |    5 ++++-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/kadmin/server/misc.c b/src/kadmin/server/misc.c
index 192145c..27a6376 100644
--- a/src/kadmin/server/misc.c
+++ b/src/kadmin/server/misc.c
@@ -177,10 +177,12 @@ check_min_life(void *server_handle, krb5_principal principal,
     if(ret)
         return ret;
     if(princ.aux_attributes & KADM5_POLICY) {
+        /* Look up the policy.  If it doesn't exist, treat this principal as if
+         * it had no policy. */
         if((ret=kadm5_get_policy(handle->lhandle,
                                  princ.policy, &pol)) != KADM5_OK) {
             (void) kadm5_free_principal_ent(handle->lhandle, &princ);
-            return ret;
+            return (ret == KADM5_UNK_POLICY) ? 0 : ret;
         }
         if((now - princ.last_pwd_change) < pol.pw_min_life &&
            !(princ.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
diff --git a/src/tests/t_policy.py b/src/tests/t_policy.py
index f4cb4b4..7b95342 100644
--- a/src/tests/t_policy.py
+++ b/src/tests/t_policy.py
@@ -2,7 +2,7 @@
 from k5test import *
 import re
 
-realm = K5Realm(create_host=False)
+realm = K5Realm(create_host=False, start_kadmind=True)
 
 # Test password quality enforcement.
 realm.run_kadminl('addpol -minlength 6 -minclasses 2 pwpol')
@@ -48,6 +48,9 @@ if ('WARNING: policy "newpol" does not exist' not in out or
 out = realm.run_kadminl('cpw -pw 3rdpassword pwuser')
 if ' changed.' not in out:
     fail('reuse of current password with nonexistent policy')
+# Regression test for #8427 (min_life check with nonexistent policy).
+realm.run([kadmin, '-p', 'pwuser', '-w', '3rdpassword',
+           '-q', 'cpw -pw 3rdpassword pwuser'])
 
 # Create newpol and verify that it is enforced.
 realm.run_kadminl('addpol -minlength 3 newpol')

More information about the cvs-krb5 mailing list