Bug / oversight in kadmind handling of ACL_LIST
Jorj Bauer
jorj at isc.upenn.edu
Mon Jun 9 15:11:14 EDT 2014
Hi folks,
(Please point me to another list if this is better suited elsewhere.)
src/kadmin/server/server_stubs.c has an oversight in the handling of ACL_LIST which prevents ACLs like this from functioning:
foo/listprinc at TEST.EXAMPLE.COM l jorj/kadmin-test.example.com at TEST.EXAMPLE.COM
The oversight is that kadm5int_acl_check is never passed the target argument; that means that either '*' matches everything, or it fails (even if you attempt to query the given specific principal).
A simple patch corrects the behavior (this is against current master, but it's easily backported to 1.11):
--- a/src/kadmin/server/server_stubs.c
+++ b/src/kadmin/server/server_stubs.c
@@ -737,6 +737,8 @@ get_princs_2_svc(gprincs_arg *arg, struct svc_req *rqstp)
kadm5_server_handle_t handle;
const char *errmsg = NULL;
+ krb5_principal kpr = NULL;
+
xdr_free(xdr_gprincs_ret, &ret);
if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
@@ -755,10 +757,12 @@ get_princs_2_svc(gprincs_arg *arg, struct svc_req *rqstp)
if (prime_arg == NULL)
prime_arg = "*";
+ /*kret = */ krb5_parse_name(handle->context, prime_arg, &kpr);
+
if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
rqst2name(rqstp),
ACL_LIST,
- NULL,
+ kpr,
NULL)) {
ret.code = KADM5_AUTH_LIST;
log_unauth("kadm5_get_principals", prime_arg,
@@ -777,6 +781,10 @@ get_princs_2_svc(gprincs_arg *arg, struct svc_req *rqstp)
krb5_free_error_message(handle->context, errmsg);
}
+
+ if (kpr)
+ krb5_free_principal((krb5_context) NULL, kpr);
+
gss_release_buffer(&minor_stat, &client_name);
gss_release_buffer(&minor_stat, &service_name);
exit_func:
The same fundamental code appears a second time in get_pols_2_svc.
-- Jorj
--
Jorj Bauer
Manager of Engineering, Research and Development
Information Systems and Computing, University of Pennsylvania
215.746.3850
XMPP: jorj at upenn.edu
More information about the Kerberos
mailing list