[38666] in Kerberos
Re: kadmin ignoring target column ?
daemon@ATHENA.MIT.EDU (Laura Smith)
Sun Jan 12 16:38:00 2020
Date: Sun, 12 Jan 2020 21:37:42 +0000
To: Russ Allbery <eagle@eyrie.org>
From: Laura Smith <n5d9xq3ti233xiyif2vp@protonmail.ch>
Message-ID: <wj6_keKNHkLo6jtohOEIsZOC_34IzqmK0iobG6lMedCiiN9_QgXZqabVcnEw_kg5f549IiOkRAl8xGcTk3O3U26s0gMImAXpt_9XH87fZ78=@protonmail.ch>
In-Reply-To: <87ftgk5vs9.fsf@hope.eyrie.org>
MIME-Version: 1.0
Cc: "kerberos\\@mit.edu" <kerberos@mit.edu>
Reply-To: Laura Smith <n5d9xq3ti233xiyif2vp@protonmail.ch>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Sunday, January 12, 2020 7:17 PM, Russ Allbery <eagle@eyrie.org> wrote:
> Laura Smith n5d9xq3ti233xiyif2vp@protonmail.ch writes:
>
> > I am trying to create a suitably restricted user for use with
> > configuration automation (SaltStack ). My line looks like the following:
>
> > saltstack/admin@EXAMPLE.COM ADMCIL nfs/*@EXAMPLE.COM
>
> > I have edited kadm5.acl and restarted kadmind, however list_princs
> > returns a list of all principals, not just nfs/* ?
>
> > If I remove the target column (i.e. saltstack/admin@EXAMPLE.COM ADMCIL)
> > and restart kadmind, then ADMCIL operates as expected (blocks
> > list_princs entirely).
>
> I don't believe the "l" permission supports the target field. I think
> it's all or nothing: either you can list all principals or you can't. The
> man page for kadm5.acl seems to support that:
>
> l [Dis]allows the listing of all principals or policies
>
> ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Russ Allbery (eagle@eyrie.org) https://www.eyrie.org/~eagle/
Hi Russ,
Fair enough, but I can still add/delete principals even with ADMCIL (e.g. I could add test/test, which should not be possible with a nfs/* restriction ?)
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
