krb5 commit: Prevent deletion of K/M
Greg Hudson
ghudson at mit.edu
Mon Jun 15 17:48:23 EDT 2020
https://github.com/krb5/krb5/commit/94b936a1bf0a8c67809597c5ea5400d8994d5dd8
commit 94b936a1bf0a8c67809597c5ea5400d8994d5dd8
Author: Greg Hudson <ghudson at mit.edu>
Date: Sat Jun 13 21:55:54 2020 -0400
Prevent deletion of K/M
In libkadm5srv, do not allow deletion of the master key principal, as
it is very difficult to recover a KDB after doing so.
ticket: 8913
src/lib/kadm5/srv/svr_principal.c | 4 ++++
src/tests/t_kadmin_acl.py | 6 ++++++
2 files changed, 10 insertions(+), 0 deletions(-)
diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
index 8a7ab6e..315c541 100644
--- a/src/lib/kadm5/srv/svr_principal.c
+++ b/src/lib/kadm5/srv/svr_principal.c
@@ -537,6 +537,10 @@ kadm5_delete_principal(void *server_handle, krb5_principal principal)
if (principal == NULL)
return EINVAL;
+ /* Deleting K/M is mostly unrecoverable, so don't allow it. */
+ if (krb5_principal_compare(handle->context, principal, master_princ))
+ return KADM5_PROTECT_PRINCIPAL;
+
if ((ret = kdb_get_entry(handle, principal, &kdb, &adb)))
return(ret);
ret = k5_kadm5_hook_remove(handle->context, handle->hook_handles,
diff --git a/src/tests/t_kadmin_acl.py b/src/tests/t_kadmin_acl.py
index 86eb597..8946e8c 100755
--- a/src/tests/t_kadmin_acl.py
+++ b/src/tests/t_kadmin_acl.py
@@ -328,4 +328,10 @@ realm.run([kadmin, '-c', realm.ccache, 'cpw', '-randkey', 'none'],
realm.run([kadmin, '-c', realm.ccache, 'cpw', '-randkey', '-e', 'aes256-cts',
'none'], expected_code=1, expected_msg=msg)
+# Test operations disallowed at the libkadm5 layer.
+realm.run([kadminl, 'delprinc', 'K/M'],
+ expected_code=1, expected_msg='Cannot change protected principal')
+realm.run([kadminl, 'cpw', '-pw', 'pw', 'kadmin/history'],
+ expected_code=1, expected_msg='Cannot change protected principal')
+
success('kadmin ACL enforcement')
More information about the cvs-krb5
mailing list