Bug / oversight in kadmind handling of ACL_LIST

Greg Hudson ghudson at MIT.EDU
Mon Jun 9 16:00:57 EDT 2014


On 06/09/2014 03:11 PM, Jorj Bauer wrote:
> src/kadmin/server/server_stubs.c has an oversight in the handling of ACL_LIST which prevents ACLs like this from functioning:

I think that is deliberate, not an oversight.  The argument to
get_princs is a pattern, not a principal name; parsing it as a principal
name and matching it against the ACL target pattern would have fuzzy
semantics at best.

I do see that our documentation uses list permissions in an example with
a target principal, which is deceptive.  We should be explicit that list
permission is all or nothing.  I will file an issue.


More information about the Kerberos mailing list