From djm@web.us.uu.net Fri Apr 14 12:44:58 2000 Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by rt-11.mit.edu (8.9.3/8.9.3) with SMTP id MAA03287 for ; Fri, 14 Apr 2000 12:44:57 -0400 (EDT) Received: from jenkins.web.us.uu.net by MIT.EDU with SMTP id AA08981; Fri, 14 Apr 00 12:44:52 EDT Received: from dagger.web.us.uu.net by jenkins.web.us.uu.net with ESMTP (peer crosschecked as: dagger.web.us.uu.net [208.211.134.28]) id MAA11630; Fri, 14 Apr 2000 12:44:55 -0400 (EDT) Received: by dagger.web.us.uu.net id MAA28744; Fri, 14 Apr 2000 12:44:32 -0400 Message-Id: Date: Fri, 14 Apr 2000 12:44:32 -0400 From: djm@web.us.uu.net (David J. MacKenzie) Reply-To: djm@web.us.uu.net To: krb5-bugs@MIT.EDU Cc: djm@web.us.uu.net Subject: enhancement to KDC ACL wildcards X-Send-Pr-Version: 3.99 >Number: 843 >Category: krb5-libs >Synopsis: allow more flexible wildcards in ACL files >Confidential: no >Severity: non-critical >Priority: low >Responsible: krb5-unassigned >State: open >Class: change-request >Submitter-Id: unknown >Arrival-Date: Fri Apr 14 12:45:01 EDT 2000 >Last-Modified: >Originator: David MacKenzie >Organization: UUNET Technologies >Release: krb5-1.1.1 >Environment: System: Linux dagger.web.us.uu.net 2.2.14-15mdk #2 Sat Mar 11 19:32:26 EST 2000 i686 unknown Architecture: i686 >Description: Administrative control over kadmin is not as flexible as some organizations would like. It would be desirable to only allow certain users to change certain kinds of principals. >How-To-Repeat: >Fix: The following patch is from walrus@ans.net (Michael Shiplett) of UUNET. Maybe using fnmatch() would be even better, but anyway this isn't disruptive and doesn't introduce any portability problems. --- /homes/elves/djm/src/krb5-1.1.1/src/lib/kadm5/srv/server_acl.c Fri Dec 17 15:47:03 1999 +++ src/lib/kadm5/srv/server_acl.c Tue Mar 28 16:39:10 2000 @@ -309,13 +309,22 @@ /* * acl_match_data() - See if two data entries match. * - * Wildcarding is only supported for a whole component. + * Wildcarding is supported for a whole component, + * or at the beginning or end of a component. + * This allows, e.g., + * walrus * host/*.bd.ans.net@ANS.NET + * to restrict walrus to creating/modifying only bd.ans.net host principals + * in addition to being able to restrict by + * walrus * host/*@ANS.NET + * + * e1 is from the ACL file. */ static krb5_boolean acl_match_data(e1, e2) krb5_data *e1, *e2; { krb5_boolean retval; + char *e1s, *e2s; DPRINT(DEBUG_CALLS, acl_debug_level, ("* acl_match_entry(%s, %s)\n", e1->data, e2->data)); @@ -323,6 +332,17 @@ if (!strncmp(e1->data, "*", e1->length) || !strncmp(e2->data, "*", e2->length)) { retval = 1; + } else if (e2->length < e1->length) { + } else if (e1->length && (!strncmp(e1->data, "*", 1))) { + /* beginning */ + e1s = e1->data + 1; + e2s = e2->data + (e2->length - (e1->length - 1)); + if (!strncmp(e1s, e2s, (e1->length - 1))) + retval = 1; + } else if (e1->length && !strncmp(e1->data + (e1->length - 1), "*", 1)) { + /* end */ + if (!strncmp(e1->data, e2->data, (e1->length - 1))) + retval = 1; } else { if ((e1->length == e2->length) && >Audit-Trail: >Unformatted: