Skip Menu |
 

Date: Fri, 30 Mar 2007 16:10:34 -0500
From: Mike Dopheide <dopheide@ncsa.uiuc.edu>
To: krbdev@mit.edu
Subject: slightly expanded wildcard support for kadm5.acl
Download (untitled) / with headers
text/plain 1.1KiB

Attached is a patch to add wildcard support at the beginning and end of
kadm5.acl components. I'd love to see this or something like it get
added to the standard codebase. We haven't used this in the field yet,
I wanted to get people's opinions first. I may not have considered all
of the implications (please let me know if I'm missing something bad).

We've run into a couple situations here where it would be really handy
to have this.

Example 1:
Temporary guest accounts on a system that doesn't support instances.
This resulted in something similar to guest[001-100] prinicpals and a
hundred kadm5.acl entries so the event coordinator could reset
passwords. This is much more concise:

guest/admin@REALM.COM cmi guest*@REALM.COM


Example 2:
Multiple site admins using a central Kerberos realm. In this case you
can give each site admin control to create/edit host keys in their own
subdomain.

site1/admin@REALM.COM * host/*.site1.realm.com@REALM.COM
site2/admin@REALM.COM * host/*.site2.realm.com@REALM.COM


-Mike

PS. During my testing I noticed that kadmind segfaults if you forget to
add the ACL permissions to a line in kadm5.acl. :)
Download kadm5_acl.patch
text/plain 1.5KiB
diff -Nur krb5-1.6/src/lib/kadm5/srv/server_acl.c krb5-1.6.dop/src/lib/kadm5/srv/server_acl.c
--- krb5-1.6/src/lib/kadm5/srv/server_acl.c 2006-06-16 01:58:42.000000000 -0500
+++ krb5-1.6.dop/src/lib/kadm5/srv/server_acl.c 2007-03-30 14:57:19.000000000 -0500
@@ -543,7 +543,8 @@
/*
* kadm5int_acl_match_data() - See if two data entries match.
*
- * Wildcarding is only supported for a whole component.
+ * Wildcarding is only supported at the beginning, end, or as a
+ * whole component.
*/
static krb5_boolean
kadm5int_acl_match_data(e1, e2, targetflag, ws)
@@ -552,12 +553,37 @@
wildstate_t *ws;
{
krb5_boolean retval;
+ int cmplen=0;
+ int e2offset;
+ int e1offset;

DPRINT(DEBUG_CALLS, acl_debug_level,
("* acl_match_entry(%s, %s)\n", e1->data, e2->data));
retval = 0;
- if (!strncmp(e1->data, "*", e1->length)) {
- retval = 1;
+
+ if(strchr(e1->data, '*')){
+ if(e1->length == 1){
+ /* whole component matches wildcard */
+ retval = 1;
+
+ }else if(e1->data[0] == '*'){
+ /* wildcard at beginning of component */
+ cmplen = e1->length - 1;
+ e2offset = e2->length - cmplen;
+ e1offset = 1;
+
+ }else if(e1->data[e1->length-1] == '*'){
+ /* wildcard at end of component */
+ cmplen = e1->length - 1;
+ e2offset=0;
+ e1offset=0;
+ }
+
+ /* Compare beginning or end of e2->data depending on offsets above */
+ if((strncmp(e1->data+e1offset, e2->data+e2offset, cmplen) == 0) && (e2offset >= 0) && (cmplen != 0)){
+ retval = 1;
+ }
+
if (ws && !targetflag) {
if (ws->nwild >= 9) {
DPRINT(DEBUG_ACL, acl_debug_level,
Date: Fri, 30 Mar 2007 16:34:30 -0500
From: Mike Dopheide <dopheide@ncsa.uiuc.edu>
To: krbdev@mit.edu
Subject: Re: slightly expanded wildcard support for kadm5.acl
Download (untitled) / with headers
text/plain 3.2KiB
And the fixed version of the patch is attached. My apologies.

Mike Dopheide wrote:
Show quoted text
>
> Attached is a patch to add wildcard support at the beginning and end of
> kadm5.acl components. I'd love to see this or something like it get
> added to the standard codebase. We haven't used this in the field yet,
> I wanted to get people's opinions first. I may not have considered all
> of the implications (please let me know if I'm missing something bad).
>
> We've run into a couple situations here where it would be really handy
> to have this.
>
> Example 1:
> Temporary guest accounts on a system that doesn't support instances.
> This resulted in something similar to guest[001-100] prinicpals and a
> hundred kadm5.acl entries so the event coordinator could reset
> passwords. This is much more concise:
>
> guest/admin@REALM.COM cmi guest*@REALM.COM
>
>
> Example 2:
> Multiple site admins using a central Kerberos realm. In this case you
> can give each site admin control to create/edit host keys in their own
> subdomain.
>
> site1/admin@REALM.COM * host/*.site1.realm.com@REALM.COM
> site2/admin@REALM.COM * host/*.site2.realm.com@REALM.COM
>
>
> -Mike
>
> PS. During my testing I noticed that kadmind segfaults if you forget to
> add the ACL permissions to a line in kadm5.acl. :)
>
>
> ------------------------------------------------------------------------
>
> diff -Nur krb5-1.6/src/lib/kadm5/srv/server_acl.c krb5-1.6.dop/src/lib/kadm5/srv/server_acl.c
> --- krb5-1.6/src/lib/kadm5/srv/server_acl.c 2006-06-16 01:58:42.000000000 -0500
> +++ krb5-1.6.dop/src/lib/kadm5/srv/server_acl.c 2007-03-30 14:57:19.000000000 -0500
> @@ -543,7 +543,8 @@
> /*
> * kadm5int_acl_match_data() - See if two data entries match.
> *
> - * Wildcarding is only supported for a whole component.
> + * Wildcarding is only supported at the beginning, end, or as a
> + * whole component.
> */
> static krb5_boolean
> kadm5int_acl_match_data(e1, e2, targetflag, ws)
> @@ -552,12 +553,37 @@
> wildstate_t *ws;
> {
> krb5_boolean retval;
> + int cmplen=0;
> + int e2offset;
> + int e1offset;
>
> DPRINT(DEBUG_CALLS, acl_debug_level,
> ("* acl_match_entry(%s, %s)\n", e1->data, e2->data));
> retval = 0;
> - if (!strncmp(e1->data, "*", e1->length)) {
> - retval = 1;
> +
> + if(strchr(e1->data, '*')){
> + if(e1->length == 1){
> + /* whole component matches wildcard */
> + retval = 1;
> +
> + }else if(e1->data[0] == '*'){
> + /* wildcard at beginning of component */
> + cmplen = e1->length - 1;
> + e2offset = e2->length - cmplen;
> + e1offset = 1;
> +
> + }else if(e1->data[e1->length-1] == '*'){
> + /* wildcard at end of component */
> + cmplen = e1->length - 1;
> + e2offset=0;
> + e1offset=0;
> + }
> +
> + /* Compare beginning or end of e2->data depending on offsets above */
> + if((strncmp(e1->data+e1offset, e2->data+e2offset, cmplen) == 0) && (e2offset >= 0) && (cmplen != 0)){
> + retval = 1;
> + }
> +
> if (ws && !targetflag) {
> if (ws->nwild >= 9) {
> DPRINT(DEBUG_ACL, acl_debug_level,
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> krbdev mailing list krbdev@mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
Download kadm5_acl-2.patch
text/plain 1.6KiB
diff -Nur krb5-1.6/src/lib/kadm5/srv/server_acl.c krb5-1.6.dop/src/lib/kadm5/srv/server_acl.c
--- krb5-1.6/src/lib/kadm5/srv/server_acl.c 2006-06-16 01:58:42.000000000 -0500
+++ krb5-1.6.dop/src/lib/kadm5/srv/server_acl.c 2007-03-30 16:29:24.000000000 -0500
@@ -543,7 +543,8 @@
/*
* kadm5int_acl_match_data() - See if two data entries match.
*
- * Wildcarding is only supported for a whole component.
+ * Wildcarding is only supported at the beginning, end, or as a
+ * whole component.
*/
static krb5_boolean
kadm5int_acl_match_data(e1, e2, targetflag, ws)
@@ -552,12 +553,41 @@
wildstate_t *ws;
{
krb5_boolean retval;
+ int cmplen=0;
+ int e2offset;
+ int e1offset;

DPRINT(DEBUG_CALLS, acl_debug_level,
("* acl_match_entry(%s, %s)\n", e1->data, e2->data));
retval = 0;
- if (!strncmp(e1->data, "*", e1->length)) {
- retval = 1;
+
+ if(strchr(e1->data, '*')){
+ if(e1->length == 1){
+ /* whole component matches wildcard */
+ retval = 1;
+
+ }else if(e1->data[0] == '*'){
+ /* wildcard at beginning of component */
+ cmplen = e1->length - 1;
+ e2offset = e2->length - cmplen;
+ e1offset = 1;
+
+ }else if(e1->data[e1->length-1] == '*'){
+ /* wildcard at end of component */
+ cmplen = e1->length - 1;
+ if(e2->length < cmplen){
+ e2offset = -1;
+ }else{
+ e2offset=0;
+ e1offset=0;
+ }
+ }
+
+ /* Compare beginning or end of e2->data depending on offsets above */
+ if((strncmp(e1->data+e1offset, e2->data+e2offset, cmplen) == 0) && (e2offset >= 0) && (cmplen != 0)){
+ retval = 1;
+ }
+
if (ws && !targetflag) {
if (ws->nwild >= 9) {
DPRINT(DEBUG_ACL, acl_debug_level,