[14585] in Kerberos
Re: privileges ignored for instances, part II
daemon@ATHENA.MIT.EDU (Christopher P. Lindsey)
Mon Jun 25 01:18:57 2001
X-Envelope-From: lindsey
X-Envelope-To: kerberos@MIT.EDU
Date: Mon, 25 Jun 2001 00:13:33 -0500
From: "Christopher P. Lindsey" <lindsey@mallorn.com>
To: kerberos@MIT.EDU
Message-ID: <20010625001333.A31725@mallorn.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <20010605154441.A6290@mallorn.com>; from lindsey@mallorn.com on Tue, Jun 05, 2001 at 03:44:41PM -0500
> About two weeks ago I sent this message, but haven't heard any responses.
>
> If anyone gives specific privileges for certain instances to principals
> in their kadm5.acl file under Kerberos 1.2.2, could you please let me
> know?
>
> If you don't have this setup but wouldn't mind spending five minutes to
> try it out, could you please let me know the outcome?
I wish I could say thanks for all the help, but I was able to track down
this bug in spite of the deafening silence. :)
Kerberos 1.0.6 allowed entries like this in kadm.acl:
aisadmin@MALLORN.COM admcil */ais@MALLORN.COM
This would give the user 'aisadmin' list privileges against the specified
instance, so doing something like
listprincs */ais@MALLORN.COM
would work.
1.2.2 apparently doesn't allow instance matching for list requests, so
the example above fails.
For now, I was able to get around it by listing aisadmin twice in the
kadm.acl file:
aisadmin@MALLORN.COM admcil */ais@MALLORN.COM
aisadmin@MALLORN.COM l *
Sure, aisadmin has global list privileges, but it's not the end of the world.
Still, I'd rather restrict that user's access to principals that are only
within a specific instance.
Anyhow, I thought I'd share what I found, and if I have time, I'll write
and submit a patch.
Chris
> kadmin -p aisadmin -w xxxxxxxx -q 'listprincs "*/ais@MALLORN.COM"'
>
> This used to work under 1.0.6, but now I get the error
>
> get_principals: Operation requires ``list'' privilege while retrieving list.
>
> However, the kadm5.acl file gives list privileges to the aisadmin user:
>
> aisadmin@MALLORN.COM admcil */ais@MALLORN.COM
>
> If I remove the specific instance and give aisadmin all access (i.e.
>
> aisadmin@MALLORN.COM admcil
>
> or
>
> aisadmin@MALLORN.COM * *
>
> ), things work fine (but I don't want to give aisadmin that much power).
