Skip Menu |
 

Download (untitled) / with headers
text/plain 3.3KiB
From djm@web.us.uu.net Fri Apr 14 12:44:58 2000
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2])
by rt-11.mit.edu (8.9.3/8.9.3) with SMTP id MAA03287
for <bugs@RT-11.MIT.EDU>; Fri, 14 Apr 2000 12:44:57 -0400 (EDT)
Received: from jenkins.web.us.uu.net by MIT.EDU with SMTP
id AA08981; Fri, 14 Apr 00 12:44:52 EDT
Received: from dagger.web.us.uu.net by jenkins.web.us.uu.net with ESMTP
(peer crosschecked as: dagger.web.us.uu.net [208.211.134.28])
id MAA11630; Fri, 14 Apr 2000 12:44:55 -0400 (EDT)
Received: by dagger.web.us.uu.net
id MAA28744; Fri, 14 Apr 2000 12:44:32 -0400
Message-Id: <MAA28744.200004141644@dagger.web.us.uu.net>
Date: Fri, 14 Apr 2000 12:44:32 -0400
From: djm@web.us.uu.net (David J. MacKenzie)
Reply-To: djm@web.us.uu.net
To: krb5-bugs@MIT.EDU
Cc: djm@web.us.uu.net
Subject: enhancement to KDC ACL wildcards
X-Send-Pr-Version: 3.99

Show quoted text
>Number: 843
>Category: krb5-libs
>Synopsis: allow more flexible wildcards in ACL files
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: krb5-unassigned
>State: open
>Class: change-request
>Submitter-Id: unknown
>Arrival-Date: Fri Apr 14 12:45:01 EDT 2000
>Last-Modified:
>Originator: David MacKenzie
>Organization:
UUNET Technologies
Show quoted text
>Release: krb5-1.1.1
>Environment:

System: Linux dagger.web.us.uu.net 2.2.14-15mdk #2 Sat Mar 11 19:32:26 EST 2000 i686 unknown
Architecture: i686

Show quoted text
>Description:
Administrative control over kadmin is not as flexible as
some organizations would like. It would be desirable to only
allow certain users to change certain kinds of principals.

Show quoted text
>How-To-Repeat:

Show quoted text
>Fix:

The following patch is from walrus@ans.net (Michael Shiplett) of UUNET.
Maybe using fnmatch() would be even better, but anyway this isn't
disruptive and doesn't introduce any portability problems.

--- /homes/elves/djm/src/krb5-1.1.1/src/lib/kadm5/srv/server_acl.c Fri Dec 17 15:47:03 1999
+++ src/lib/kadm5/srv/server_acl.c Tue Mar 28 16:39:10 2000
@@ -309,13 +309,22 @@
/*
* acl_match_data() - See if two data entries match.
*
- * Wildcarding is only supported for a whole component.
+ * Wildcarding is supported for a whole component,
+ * or at the beginning or end of a component.
+ * This allows, e.g.,
+ * walrus * host/*.bd.ans.net@ANS.NET
+ * to restrict walrus to creating/modifying only bd.ans.net host principals
+ * in addition to being able to restrict by
+ * walrus * host/*@ANS.NET
+ *
+ * e1 is from the ACL file.
*/
static krb5_boolean
acl_match_data(e1, e2)
krb5_data *e1, *e2;
{
krb5_boolean retval;
+ char *e1s, *e2s;

DPRINT(DEBUG_CALLS, acl_debug_level,
("* acl_match_entry(%s, %s)\n", e1->data, e2->data));
@@ -323,6 +332,17 @@
if (!strncmp(e1->data, "*", e1->length) ||
!strncmp(e2->data, "*", e2->length)) {
retval = 1;
+ } else if (e2->length < e1->length) {
+ } else if (e1->length && (!strncmp(e1->data, "*", 1))) {
+ /* beginning */
+ e1s = e1->data + 1;
+ e2s = e2->data + (e2->length - (e1->length - 1));
+ if (!strncmp(e1s, e2s, (e1->length - 1)))
+ retval = 1;
+ } else if (e1->length && !strncmp(e1->data + (e1->length - 1), "*", 1)) {
+ /* end */
+ if (!strncmp(e1->data, e2->data, (e1->length - 1)))
+ retval = 1;
}
else {
if ((e1->length == e2->length) &&
Show quoted text
>Audit-Trail:
>Unformatted: