Bug / oversight in kadmind handling of ACL_LIST

Kenneth MacDonald Kenneth.MacDonald at ed.ac.uk
Fri Jun 20 11:52:16 EDT 2014


On Mon, 2014-06-09 at 20:12 +0000, Jorj Bauer wrote:
> On Jun 9, 2014, at 4:00 PM, Greg Hudson <ghudson at MIT.EDU> wrote:
> 
> > On 06/09/2014 03:11 PM, Jorj Bauer wrote:
> >> src/kadmin/server/server_stubs.c has an oversight in the handling of ACL_LIST which prevents ACLs like this from functioning:
> > 
> > I think that is deliberate, not an oversight.  The argument to
> > get_princs is a pattern, not a principal name; parsing it as a principal
> > name and matching it against the ACL target pattern would have fuzzy
> > semantics at best.
> > 
> > I do see that our documentation uses list permissions in an example with
> > a target principal, which is deceptive.  We should be explicit that list
> > permission is all or nothing.  I will file an issue.
> 
> Thanks. I'm slightly puzzled by the decision to make such a limitation, when one might actually have a use case for such an ACL, which is syntactically and semantically valid.
> 
> This comes up for us in a slightly larger context. We maintain a set of patches that allow regex against the right-hand side of that config file, so that we can do this:
> 
> 	*/kadmin-*@TEST.NET.ISC.UPENN.EDU       *       */*2$@TEST.NET.ISC.UPENN.EDU
> 	*/kadmin-*@TEST.NET.ISC.UPENN.EDU       *       */kadmin-*2$@TEST.NET.ISC.UPENN.EDU
> 
> ... which allows kadmins to manage their own sub-zones in the realm. Our decentralized IT works that way.

We also maintain a patch to allow simple matching of sub-component
strings on principals for similar purposes.  We have lines like ...

*/dept.admin at REALM * */*.dept.ed.ac.uk at REALM

to allow departmental admins to manage service principals inside their
DNS domain.

<https://sourced.ecdf.ed.ac.uk/projects/is/package-recipes/browser/krb5/tags/krb5_sl6_5.11.3-3.el6.3.is/krb5-1.11.3-wildcard_target.patch>

> We have a similar use case for the RHS of list, which has the ability to list kadmins but not everything:
> 
> 	foo/listprinc at TEST.NET.ISC.UPENN.EDU        l       */kadmin-*@TEST.NET.ISC.UPENN.EDU
> 
> ... which is how we stumbled across this issue.

We decided to live with the departmental admins not being able to list
any principals on demand, but they can ask central admins for a report
if they wish.

> Of course, I'd like to see this underlying patch in place so that it doesn't break the 'list' case for us, but if it's deemed something that's not in the best interests of the project, so be it.
> 
> But if I can convince folks to be interested in the larger patch, I'll happily submit that in toto.

I'd be interested in seeing your regexp patch.

Cheers,

Kenny.


-- 
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.



More information about the Kerberos mailing list