Skip Menu |
 

Subject: kadmind ACL back-references can affect later lines
In kadm5int_acl_find_entry(), the wildcard back-reference state is
initialized before the loop over the acl entries and not cleared for
each entry. As a result, any wildcards processed while an entry is
being checked will remain in the state structure. So, for example,
if the ACL file reads:

*/admin x
host/* i */*1

then *1 will refer to "host" (from the wildcard in the first line)
rather than the second component of the requesting principal.

(Wildcards are not processed if the realm or number of components
does not match, or if a previous component did not match, so the
above example is somewhat fragile. For instance, if the first line
were for admin/* instead of */admin, it wouldn't trip up the back-
reference in the second line because we wouldn't process the second-
component wildcard for a host principal.)
From: ghudson@mit.edu
Subject: git commit

Fix scope of kadmind ACL wildcard back-references

In kadm5int_acl_find_entry(), clear the wildcard back-references list
for each acl entry. Otherwise the wildcards we process can affect
back-references for later entries.

https://github.com/krb5/krb5/commit/d3d18b8d8d7a47766fd4e9667d045035f43d90ef
Author: Greg Hudson <ghudson@mit.edu>
Commit: d3d18b8d8d7a47766fd4e9667d045035f43d90ef
Branch: master
src/lib/kadm5/srv/server_acl.c | 2 +-
src/tests/t_kadmin_acl.py | 2 ++
2 files changed, 3 insertions(+), 1 deletions(-)
From: tlyu@mit.edu
Subject: git commit

Fix scope of kadmind ACL wildcard back-references

In kadm5int_acl_find_entry(), clear the wildcard back-references list
for each acl entry. Otherwise the wildcards we process can affect
back-references for later entries.

(cherry picked from commit d3d18b8d8d7a47766fd4e9667d045035f43d90ef)

https://github.com/krb5/krb5/commit/8e67dce9379c0f50bdccc12619fecad423aa5384
Author: Greg Hudson <ghudson@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: 8e67dce9379c0f50bdccc12619fecad423aa5384
Branch: krb5-1.13
src/lib/kadm5/srv/server_acl.c | 2 +-
src/tests/t_kadmin_acl.py | 2 ++
2 files changed, 3 insertions(+), 1 deletions(-)