[1921] in Kerberos_V5_Development
Re: Cygnus changes for your consideration
daemon@ATHENA.MIT.EDU (Barry Jaspan)
Thu Oct 31 15:56:26 1996
Date: Thu, 31 Oct 1996 15:54:36 -0500
From: "Barry Jaspan" <bjaspan@MIT.EDU>
To: marc@MIT.EDU
Cc: eichin@cygnus.com, tytso@MIT.EDU, krbdev@MIT.EDU
In-Reply-To: <199610312045.UAA17598@beeblebrox.MIT.EDU> (message from Marc
Horowitz on Thu, 31 Oct 1996 15:45:01 EST)
>> And how does this
>> interact with tl_data types that the server knows about (mod time and
>> such that are stored in tl_data)?
>>
>> The client has to pass to kadm5_modify_principal all the tl_data
>> entries that it got from kadm5_get_principal that it does not
>> explicitly know about.
I don't like this. "internal" tl_data should not be exposed to the
administrator
In the current MIT implementation, it isn't. The only tl_data fields
are last_pw_change, mod_{date,by}, and kadm5 data. All of these are
provided directly by get_principal, so no "internal" data is exported.
Of course, some internal tl_data might be added in the future that is
not returned by get.
and should not be accepted as part of a
modify_principal request. Otherwise, the admin could change stuff
like the last_mod times, and parts of the admin data which are
"read-only".
mod_{date,by} and kadm5 data are overriden whether they are specified
to modify_principal or not. The only thing an admin could change
surreptiously with tl_data is last_pwd_change which, granted, an admin
should not be able to do.
The semantics are also unclear. If I have a mod_princ
tl_data in my modify_principal request, does that end up in the
database, or the one which the server constructs? or both? It's
easiest and most sensible just to filter out all tl_data types <= 255
from the request.
I agree that it would be a good idea to filter out all tl_data types
<= 255 during get_principal and modify_principal, assuming we accept
your implicit assumption that the tl_data type space will be broken up
that way (which I have previously agreed with but I do not think has
been officially agreed upon and certainly not documented).
However, filtering tl_data <= 255 doesn't relate to the issue of
whether tl_data given to modify_principal should override or
supplement the tl_data the principal already has.
Barry
