Simple ACL wildcard patch
ghudson at mit.edu
Fri Aug 29 10:58:10 EDT 2014
I'm moving this to krbdev at mit.edu. kerberos at mit.edu is more
user-oriented and isn't specific to MIT krb5. The original message is at:
On 08/29/2014 05:54 AM, Kenneth MacDonald wrote:
> I have deployed this simple patch (attached) that checks for an asterisk
> at the beginning of the target, but followed by a non-digit. It then
> matches on the rest of the target.
I think we can do more general wildcard matching using fnmatch(), as
long as the component isn't a back-reference. I would rather do that
than support a wildcard at the beginning only.
It would be even better if we could do wildcard matching with
back-references mixed in, but that requires a custom fnmatch.
I found two old entries in our bug tracker containing patches for
limited wildcard support, so this is definitely not an unprecedented
> Is this patch small and simple enough to form the basis of a change to
> the core code? If so, I'll happily patch up the documentation and
> prepare it against trunk.
There are a few issues with this patch, most of which are mooted by the
above. The biggest thing is that pointers inside krb5_data structures
should not be assumed to be zero-terminated. In practice,
krb5_parse_name defensively zero-terminates components, so you shouldn't
expect to run into trouble. But we don't like to rely on that.
If you do decide to work up a patch using fnmatch, and have a github
account or don't mind making one, you can submit a pull request at
github.com/krb5/krb5. There's more information at:
Be aware that we're in the stabilization period for 1.13, so at this
point contributed new features will go into 1.14.
More information about the krbdev