Bug / oversight in kadmind handling of ACL_LIST

Jorj Bauer jorj at isc.upenn.edu
Mon Jun 9 15:11:14 EDT 2014


Hi folks,

(Please point me to another list if this is better suited elsewhere.)

src/kadmin/server/server_stubs.c has an oversight in the handling of ACL_LIST which prevents ACLs like this from functioning:

	foo/listprinc at TEST.EXAMPLE.COM        l       jorj/kadmin-test.example.com at TEST.EXAMPLE.COM

The oversight is that kadm5int_acl_check is never passed the target argument; that means that either '*' matches everything, or it fails (even if you attempt to query the given specific principal).

A simple patch corrects the behavior (this is against current master, but it's easily backported to 1.11):


--- a/src/kadmin/server/server_stubs.c
+++ b/src/kadmin/server/server_stubs.c
@@ -737,6 +737,8 @@ get_princs_2_svc(gprincs_arg *arg, struct svc_req *rqstp)
     kadm5_server_handle_t           handle;
     const char                      *errmsg = NULL;
 
+    krb5_principal                 kpr = NULL;
+
     xdr_free(xdr_gprincs_ret, &ret);
 
     if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
@@ -755,10 +757,12 @@ get_princs_2_svc(gprincs_arg *arg, struct svc_req *rqstp)
     if (prime_arg == NULL)
         prime_arg = "*";
 
+    /*kret = */ krb5_parse_name(handle->context, prime_arg, &kpr);
+
     if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
                                                        rqst2name(rqstp),
                                                        ACL_LIST,
-                                                       NULL,
+                                                       kpr,
                                                        NULL)) {
         ret.code = KADM5_AUTH_LIST;
         log_unauth("kadm5_get_principals", prime_arg,
@@ -777,6 +781,10 @@ get_princs_2_svc(gprincs_arg *arg, struct svc_req *rqstp)
             krb5_free_error_message(handle->context, errmsg);
 
     }
+
+    if (kpr)
+        krb5_free_principal((krb5_context) NULL, kpr);
+
     gss_release_buffer(&minor_stat, &client_name);
     gss_release_buffer(&minor_stat, &service_name);
 exit_func:



The same fundamental code appears a second time in get_pols_2_svc.

-- Jorj

-- 
Jorj Bauer
Manager of Engineering, Research and Development
Information Systems and Computing, University of Pennsylvania
215.746.3850
XMPP: jorj at upenn.edu




More information about the Kerberos mailing list