Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.411 (Entity 5.404) X-RT-Original-Encoding: iso-8859-1 Content-Length: 3486 From crawdad@gungnir.fnal.gov Thu May 17 11:55:23 2001 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.72.0.53]) by rt-11.mit.edu (8.9.3/8.9.3) with ESMTP id LAA14477 for ; Thu, 17 May 2001 11:55:22 -0400 (EDT) Received: from gungnir.fnal.gov (gungnir.fnal.gov [131.225.80.1]) by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id LAA03520; Thu, 17 May 2001 11:42:30 -0400 (EDT) Received: (from crawdad@localhost) by gungnir.fnal.gov (8.9.1/8.9.1) id KAA22958; Thu, 17 May 2001 10:41:51 -0500 (CDT) Message-Id: <200105171541.KAA22958@gungnir.fnal.gov> Date: Thu, 17 May 2001 10:41:51 -0500 (CDT) From: crawdad@fnal.gov Reply-To: crawdad@fnal.gov To: krb5-bugs@mit.edu Cc: krbdev@mit.edu Subject: auth_to_local RULE: does not allow examination of client REALM X-Send-Pr-Version: 3.99 >Number: 957 >Category: krb5-libs >Synopsis: auth_to_local RULE: does not allow examination of client REALM >Confidential: no >Severity: non-critical >Priority: medium >Responsible: krb5-unassigned >State: open >Class: change-request >Submitter-Id: unknown >Arrival-Date: Thu May 17 11:56:00 EDT 2001 >Last-Modified: >Originator: Matt Crawford >Organization: Fermilab >Release: krb5-1.2.2 >Environment: All unix-like systems System: SunOS gungnir.fnal.gov 5.5.1 Generic_103640-24 sun4u sparc SUNW,Ultra-1 Architecture: sun4 >Description: Augmenting the default krb5_aname_to_localname() method with some "auth_to_local = RULE:" lines in krb5.conf is worse than useless if there is any cross-realm authentication, because the rules apply without regard to the client's realm. Also, if the [first part] contains a '$' followed by zero or a negative number, the results will be unpredictable. >How-To-Repeat: For example, I might like to be able to consider all users in OTHER.REALM to be equivalent to users of the same name in my realm by writing auth_to_local = RULE:[1:$1@$0](.*@OTHER\.REALM)s/@.*// but the "$0" string does not currently denote the realm and causes unpredictable results due to insufficient bounds checking in rule_an_to_ln(). If I simply wanted to map principals "name/special" to local accounts "name", for all values of "name", I might want to write auth_to_local = RULE:[2:$1,$2](.*,special)s/,special// but if my local realm cross-authenticates with any other realm, matching principals in that realm also get mapped. >Fix: Index: lib/krb5/os/an_to_ln.c =================================================================== RCS file: /cvs/cd/kerberos/src/lib/krb5/os/an_to_ln.c,v retrieving revision 1.1.1.4 retrieving revision 1.3 diff -u -r1.1.1.4 -r1.3 --- an_to_ln.c 2001/03/12 20:24:43 1.1.1.4 +++ an_to_ln.c 2001/05/01 15:35:37 1.3 @@ -476,7 +476,7 @@ char *selstring = 0; int num_comps, compind; char *cout; - krb5_data *datap; + krb5_const krb5_data *datap; char *outstring; /* @@ -509,9 +509,11 @@ if (*current == '$') { if ((sscanf(current+1, "%d", &compind) == 1) && (compind <= num_comps) && - (datap = krb5_princ_component(context, - aname, - compind-1)) + (datap = + (compind > 0) + ? krb5_princ_component(context, aname, + compind-1) + : krb5_princ_realm(context, aname)) ) { strncpy(cout, datap->data, >Audit-Trail: >Unformatted: