Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.427 (Entity 5.427)
Subject: kadmind ACL back-references can affect later lines
X-RT-Original-Encoding: iso-8859-1
Content-Length: 845

In kadm5int_acl_find_entry(), the wildcard back-reference state is 
initialized before the loop over the acl entries and not cleared for 
each entry.  As a result, any wildcards processed while an entry is 
being checked will remain in the state structure.  So, for example, 
if the ACL file reads:

  */admin  x
  host/*   i   */*1

then *1 will refer to "host" (from the wildcard in the first line) 
rather than the second component of the requesting principal.

(Wildcards are not processed if the realm or number of components 
does not match, or if a previous component did not match, so the 
above example is somewhat fragile.  For instance, if the first line 
were for admin/* instead of */admin, it wouldn't trip up the back-
reference in the second line because we wouldn't process the second-
component wildcard for a host principal.)