Bug / oversight in kadmind handling of ACL_LIST

Jorj Bauer jorj at isc.upenn.edu
Mon Jun 9 16:12:32 EDT 2014 

On Jun 9, 2014, at 4:00 PM, Greg Hudson <ghudson at MIT.EDU> wrote:

> On 06/09/2014 03:11 PM, Jorj Bauer wrote:
>> src/kadmin/server/server_stubs.c has an oversight in the handling of ACL_LIST which prevents ACLs like this from functioning:
> 
> I think that is deliberate, not an oversight.  The argument to
> get_princs is a pattern, not a principal name; parsing it as a principal
> name and matching it against the ACL target pattern would have fuzzy
> semantics at best.
> 
> I do see that our documentation uses list permissions in an example with
> a target principal, which is deceptive.  We should be explicit that list
> permission is all or nothing.  I will file an issue.

Thanks. I'm slightly puzzled by the decision to make such a limitation, when one might actually have a use case for such an ACL, which is syntactically and semantically valid.

This comes up for us in a slightly larger context. We maintain a set of patches that allow regex against the right-hand side of that config file, so that we can do this:

	*/kadmin-*@TEST.NET.ISC.UPENN.EDU       *       */*2$@TEST.NET.ISC.UPENN.EDU
	*/kadmin-*@TEST.NET.ISC.UPENN.EDU       *       */kadmin-*2$@TEST.NET.ISC.UPENN.EDU

... which allows kadmins to manage their own sub-zones in the realm. Our decentralized IT works that way.

We have a similar use case for the RHS of list, which has the ability to list kadmins but not everything:

	foo/listprinc at TEST.NET.ISC.UPENN.EDU        l       */kadmin-*@TEST.NET.ISC.UPENN.EDU

... which is how we stumbled across this issue.

Of course, I'd like to see this underlying patch in place so that it doesn't break the 'list' case for us, but if it's deemed something that's not in the best interests of the project, so be it.

But if I can convince folks to be interested in the larger patch, I'll happily submit that in toto.

-- Jorj

-- 
Jorj Bauer
Manager of Engineering, Research and Development
Information Systems and Computing, University of Pennsylvania
215.746.3850
XMPP: jorj at upenn.edu

More information about the Kerberos mailing list