Subject: | kadmind ACL back-references can affect later lines |
In kadm5int_acl_find_entry(), the wildcard back-reference state is
initialized before the loop over the acl entries and not cleared for
each entry. As a result, any wildcards processed while an entry is
being checked will remain in the state structure. So, for example,
if the ACL file reads:
*/admin x
host/* i */*1
then *1 will refer to "host" (from the wildcard in the first line)
rather than the second component of the requesting principal.
(Wildcards are not processed if the realm or number of components
does not match, or if a previous component did not match, so the
above example is somewhat fragile. For instance, if the first line
were for admin/* instead of */admin, it wouldn't trip up the back-
reference in the second line because we wouldn't process the second-
component wildcard for a host principal.)
initialized before the loop over the acl entries and not cleared for
each entry. As a result, any wildcards processed while an entry is
being checked will remain in the state structure. So, for example,
if the ACL file reads:
*/admin x
host/* i */*1
then *1 will refer to "host" (from the wildcard in the first line)
rather than the second component of the requesting principal.
(Wildcards are not processed if the realm or number of components
does not match, or if a previous component did not match, so the
above example is somewhat fragile. For instance, if the first line
were for admin/* instead of */admin, it wouldn't trip up the back-
reference in the second line because we wouldn't process the second-
component wildcard for a host principal.)