slightly expanded wildcard support for kadm5.acl

Mike Dopheide dopheide at ncsa.uiuc.edu
Fri Mar 30 17:33:11 EDT 2007 

As is typical, attached is the correct version of the patch with one 
less bug.  Sorry about that.

-Mike

Mike Dopheide wrote:
> 
> Attached is a patch to add wildcard support at the beginning and end of 
> kadm5.acl components.  I'd love to see this or something like it get 
> added to the standard codebase.  We haven't used this in the field yet, 
> I wanted to get people's opinions first.  I may not have considered all 
> of the implications (please let me know if I'm missing something bad).
> 
> We've run into a couple situations here where it would be really handy 
> to have this.
> 
> Example 1:
> Temporary guest accounts on a system that doesn't support instances. 
> This resulted in something similar to guest[001-100] prinicpals and a 
> hundred kadm5.acl entries so the event coordinator could reset 
> passwords.  This is much more concise:
> 
> guest/admin at REALM.COM    cmi    guest*@REALM.COM
> 
> 
> Example 2:
> Multiple site admins using a central Kerberos realm.  In this case you 
> can give each site admin control to create/edit host keys in their own 
> subdomain.
> 
> site1/admin at REALM.COM   *    host/*.site1.realm.com at REALM.COM
> site2/admin at REALM.COM   *    host/*.site2.realm.com at REALM.COM
> 
> 
> -Mike
> 
> PS.  During my testing I noticed that kadmind segfaults if you forget to 
> add the ACL permissions to a line in kadm5.acl.  :)
> 
> 
> ------------------------------------------------------------------------
> 
> diff -Nur krb5-1.6/src/lib/kadm5/srv/server_acl.c krb5-1.6.dop/src/lib/kadm5/srv/server_acl.c
> --- krb5-1.6/src/lib/kadm5/srv/server_acl.c	2006-06-16 01:58:42.000000000 -0500
> +++ krb5-1.6.dop/src/lib/kadm5/srv/server_acl.c	2007-03-30 14:57:19.000000000 -0500
> @@ -543,7 +543,8 @@
>  /*
>   * kadm5int_acl_match_data()	- See if two data entries match.
>   *
> - * Wildcarding is only supported for a whole component.
> + * Wildcarding is only supported at the beginning, end, or as a
> + * whole component.
>   */
>  static krb5_boolean
>  kadm5int_acl_match_data(e1, e2, targetflag, ws)
> @@ -552,12 +553,37 @@
>      wildstate_t	*ws;
>  {
>      krb5_boolean	retval;
> +    int cmplen=0;
> +    int e2offset;
> +    int e1offset;
>  
>      DPRINT(DEBUG_CALLS, acl_debug_level, 
>  	   ("* acl_match_entry(%s, %s)\n", e1->data, e2->data));
>      retval = 0;
> -    if (!strncmp(e1->data, "*", e1->length)) {
> -	retval = 1;
> +
> +    if(strchr(e1->data, '*')){
> +        if(e1->length == 1){
> +	  /* whole component matches wildcard */
> +	    retval = 1;
> +
> +	}else if(e1->data[0] == '*'){
> +	    /* wildcard at beginning of component */
> +	    cmplen = e1->length - 1;
> +	    e2offset = e2->length - cmplen;
> +	    e1offset = 1;
> +	  
> +	}else if(e1->data[e1->length-1] == '*'){
> +	    /* wildcard at end of component */
> +	    cmplen = e1->length - 1;
> +	    e2offset=0;
> +	    e1offset=0;
> +	}
> +	
> +	/* Compare beginning or end of e2->data depending on offsets above */
> +	if((strncmp(e1->data+e1offset, e2->data+e2offset, cmplen) == 0) && (e2offset >= 0) && (cmplen != 0)){
> +	    retval = 1;
> +	}
> +	
>  	if (ws && !targetflag) {
>  	    if (ws->nwild >= 9) {
>  		DPRINT(DEBUG_ACL, acl_debug_level,
> 
> 
> ------------------------------------------------------------------------
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: kadm5_acl-2.patch
Url: http://mailman.mit.edu/pipermail/kerberos/attachments/20070330/fdd29dfc/attachment.bat

More information about the Kerberos mailing list