Bug / oversight in kadmind handling of ACL_LIST
Greg Hudson
ghudson at MIT.EDU
Mon Jun 9 16:00:57 EDT 2014
On 06/09/2014 03:11 PM, Jorj Bauer wrote:
> src/kadmin/server/server_stubs.c has an oversight in the handling of ACL_LIST which prevents ACLs like this from functioning:
I think that is deliberate, not an oversight. The argument to
get_princs is a pattern, not a principal name; parsing it as a principal
name and matching it against the ACL target pattern would have fuzzy
semantics at best.
I do see that our documentation uses list permissions in an example with
a target principal, which is deceptive. We should be explicit that list
permission is all or nothing. I will file an issue.
More information about the Kerberos
mailing list