Skip Menu |
 

Subject: kadm5.acl flag restrictions don't use documented syntax
If a kadm5.acl entry contains restrictions, we attempt to parse each
restriction field using krb5_string_to_flags(), which uses the syntax
documented for default_principal_flags in kdc_conf.rst.

However, kadm5_acl.rst claims that the permissible flags are the ones
from kadmin addprinc/modprinc. Those commands use different flag
names.

Compounding the issue, if we fail to parse the restriction string, we
silently discard the ACL entry--there is a DPRINT, but that does
nothing in a default build. We also do that if we fail to parse the
source or target principal name.
From: ghudson@mit.edu
Subject: git commit

Document correct flag names for kadm5.acl

kadm5.acl entries can include restrictions which can force flag values
on or off. These flag values are parsed with krb5_string_to_flags(),
which means the flag names are the ones for default_principal_flags,
not the ones for kadmin addprinc/modprinc.

https://github.com/krb5/krb5/commit/ef21069070c1eb2ab1ade1d1406f5cd3920c83a9
Author: Greg Hudson <ghudson@mit.edu>
Commit: ef21069070c1eb2ab1ade1d1406f5cd3920c83a9
Branch: master
doc/admin/conf_files/kadm5_acl.rst | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
From: ghudson@mit.edu
Subject: git commit

Log invalid restrictions strings

In kadm5int_acl_parse_restrictions(), output a log message if we break
out of the parsing loop with an error. The current structure of the
loop makes it difficult to pinpoint the bad restrictions field, so
just output the whole string.

https://github.com/krb5/krb5/commit/e9eaafeab12b2b62595f4dff2fca3345b2d95b4a
Author: Greg Hudson <ghudson@mit.edu>
Commit: e9eaafeab12b2b62595f4dff2fca3345b2d95b4a
Branch: master
src/lib/kadm5/srv/server_acl.c | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
From: tlyu@mit.edu
Subject: git commit

Document correct flag names for kadm5.acl

kadm5.acl entries can include restrictions which can force flag values
on or off. These flag values are parsed with krb5_string_to_flags(),
which means the flag names are the ones for default_principal_flags,
not the ones for kadmin addprinc/modprinc.

(cherry picked from commit ef21069070c1eb2ab1ade1d1406f5cd3920c83a9)

https://github.com/krb5/krb5/commit/185114aa35508e46c90354d8ddea76f65fe556d8
Author: Greg Hudson <ghudson@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: 185114aa35508e46c90354d8ddea76f65fe556d8
Branch: krb5-1.13
doc/admin/conf_files/kadm5_acl.rst | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
From: tlyu@mit.edu
Subject: git commit

Log invalid restrictions strings

In kadm5int_acl_parse_restrictions(), output a log message if we break
out of the parsing loop with an error. The current structure of the
loop makes it difficult to pinpoint the bad restrictions field, so
just output the whole string.

(cherry picked from commit e9eaafeab12b2b62595f4dff2fca3345b2d95b4a)

https://github.com/krb5/krb5/commit/1ff2ecc7890ae4b843c77c2ba68f5a152806bf05
Author: Greg Hudson <ghudson@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: 1ff2ecc7890ae4b843c77c2ba68f5a152806bf05
Branch: krb5-1.13
src/lib/kadm5/srv/server_acl.c | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)