From djm@web.us.uu.net Fri Apr 14 12:44:58 2000
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2])
by rt-11.mit.edu (8.9.3/8.9.3) with SMTP id MAA03287
for <bugs@RT-11.MIT.EDU>; Fri, 14 Apr 2000 12:44:57 -0400 (EDT)
Received: from jenkins.web.us.uu.net by MIT.EDU with SMTP
id AA08981; Fri, 14 Apr 00 12:44:52 EDT
Received: from dagger.web.us.uu.net by jenkins.web.us.uu.net with ESMTP
(peer crosschecked as: dagger.web.us.uu.net [208.211.134.28])
id MAA11630; Fri, 14 Apr 2000 12:44:55 -0400 (EDT)
Received: by dagger.web.us.uu.net
id MAA28744; Fri, 14 Apr 2000 12:44:32 -0400
Message-Id: <MAA28744.200004141644@dagger.web.us.uu.net>
Date: Fri, 14 Apr 2000 12:44:32 -0400
From: djm@web.us.uu.net (David J. MacKenzie)
Reply-To: djm@web.us.uu.net
To: krb5-bugs@MIT.EDU
Cc: djm@web.us.uu.net
Subject: enhancement to KDC ACL wildcards
X-Send-Pr-Version: 3.99
System: Linux dagger.web.us.uu.net 2.2.14-15mdk #2 Sat Mar 11 19:32:26 EST 2000 i686 unknown
Architecture: i686
some organizations would like. It would be desirable to only
allow certain users to change certain kinds of principals.
The following patch is from walrus@ans.net (Michael Shiplett) of UUNET.
Maybe using fnmatch() would be even better, but anyway this isn't
disruptive and doesn't introduce any portability problems.
--- /homes/elves/djm/src/krb5-1.1.1/src/lib/kadm5/srv/server_acl.c Fri Dec 17 15:47:03 1999
+++ src/lib/kadm5/srv/server_acl.c Tue Mar 28 16:39:10 2000
@@ -309,13 +309,22 @@
/*
* acl_match_data() - See if two data entries match.
*
- * Wildcarding is only supported for a whole component.
+ * Wildcarding is supported for a whole component,
+ * or at the beginning or end of a component.
+ * This allows, e.g.,
+ * walrus * host/*.bd.ans.net@ANS.NET
+ * to restrict walrus to creating/modifying only bd.ans.net host principals
+ * in addition to being able to restrict by
+ * walrus * host/*@ANS.NET
+ *
+ * e1 is from the ACL file.
*/
static krb5_boolean
acl_match_data(e1, e2)
krb5_data *e1, *e2;
{
krb5_boolean retval;
+ char *e1s, *e2s;
DPRINT(DEBUG_CALLS, acl_debug_level,
("* acl_match_entry(%s, %s)\n", e1->data, e2->data));
@@ -323,6 +332,17 @@
if (!strncmp(e1->data, "*", e1->length) ||
!strncmp(e2->data, "*", e2->length)) {
retval = 1;
+ } else if (e2->length < e1->length) {
+ } else if (e1->length && (!strncmp(e1->data, "*", 1))) {
+ /* beginning */
+ e1s = e1->data + 1;
+ e2s = e2->data + (e2->length - (e1->length - 1));
+ if (!strncmp(e1s, e2s, (e1->length - 1)))
+ retval = 1;
+ } else if (e1->length && !strncmp(e1->data + (e1->length - 1), "*", 1)) {
+ /* end */
+ if (!strncmp(e1->data, e2->data, (e1->length - 1)))
+ retval = 1;
}
else {
if ((e1->length == e2->length) &&
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2])
by rt-11.mit.edu (8.9.3/8.9.3) with SMTP id MAA03287
for <bugs@RT-11.MIT.EDU>; Fri, 14 Apr 2000 12:44:57 -0400 (EDT)
Received: from jenkins.web.us.uu.net by MIT.EDU with SMTP
id AA08981; Fri, 14 Apr 00 12:44:52 EDT
Received: from dagger.web.us.uu.net by jenkins.web.us.uu.net with ESMTP
(peer crosschecked as: dagger.web.us.uu.net [208.211.134.28])
id MAA11630; Fri, 14 Apr 2000 12:44:55 -0400 (EDT)
Received: by dagger.web.us.uu.net
id MAA28744; Fri, 14 Apr 2000 12:44:32 -0400
Message-Id: <MAA28744.200004141644@dagger.web.us.uu.net>
Date: Fri, 14 Apr 2000 12:44:32 -0400
From: djm@web.us.uu.net (David J. MacKenzie)
Reply-To: djm@web.us.uu.net
To: krb5-bugs@MIT.EDU
Cc: djm@web.us.uu.net
Subject: enhancement to KDC ACL wildcards
X-Send-Pr-Version: 3.99
Show quoted text
>Number: 843
>Category: krb5-libs
>Synopsis: allow more flexible wildcards in ACL files
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: krb5-unassigned
>State: open
>Class: change-request
>Submitter-Id: unknown
>Arrival-Date: Fri Apr 14 12:45:01 EDT 2000
>Last-Modified:
>Originator: David MacKenzie
>Organization:
UUNET Technologies>Category: krb5-libs
>Synopsis: allow more flexible wildcards in ACL files
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: krb5-unassigned
>State: open
>Class: change-request
>Submitter-Id: unknown
>Arrival-Date: Fri Apr 14 12:45:01 EDT 2000
>Last-Modified:
>Originator: David MacKenzie
>Organization:
Show quoted text
>Release: krb5-1.1.1
>Environment:
>Environment:
System: Linux dagger.web.us.uu.net 2.2.14-15mdk #2 Sat Mar 11 19:32:26 EST 2000 i686 unknown
Architecture: i686
Show quoted text
>Description:
Administrative control over kadmin is not as flexible assome organizations would like. It would be desirable to only
allow certain users to change certain kinds of principals.
Show quoted text
>How-To-Repeat:
Show quoted text
>Fix:
The following patch is from walrus@ans.net (Michael Shiplett) of UUNET.
Maybe using fnmatch() would be even better, but anyway this isn't
disruptive and doesn't introduce any portability problems.
--- /homes/elves/djm/src/krb5-1.1.1/src/lib/kadm5/srv/server_acl.c Fri Dec 17 15:47:03 1999
+++ src/lib/kadm5/srv/server_acl.c Tue Mar 28 16:39:10 2000
@@ -309,13 +309,22 @@
/*
* acl_match_data() - See if two data entries match.
*
- * Wildcarding is only supported for a whole component.
+ * Wildcarding is supported for a whole component,
+ * or at the beginning or end of a component.
+ * This allows, e.g.,
+ * walrus * host/*.bd.ans.net@ANS.NET
+ * to restrict walrus to creating/modifying only bd.ans.net host principals
+ * in addition to being able to restrict by
+ * walrus * host/*@ANS.NET
+ *
+ * e1 is from the ACL file.
*/
static krb5_boolean
acl_match_data(e1, e2)
krb5_data *e1, *e2;
{
krb5_boolean retval;
+ char *e1s, *e2s;
DPRINT(DEBUG_CALLS, acl_debug_level,
("* acl_match_entry(%s, %s)\n", e1->data, e2->data));
@@ -323,6 +332,17 @@
if (!strncmp(e1->data, "*", e1->length) ||
!strncmp(e2->data, "*", e2->length)) {
retval = 1;
+ } else if (e2->length < e1->length) {
+ } else if (e1->length && (!strncmp(e1->data, "*", 1))) {
+ /* beginning */
+ e1s = e1->data + 1;
+ e2s = e2->data + (e2->length - (e1->length - 1));
+ if (!strncmp(e1s, e2s, (e1->length - 1)))
+ retval = 1;
+ } else if (e1->length && !strncmp(e1->data + (e1->length - 1), "*", 1)) {
+ /* end */
+ if (!strncmp(e1->data, e2->data, (e1->length - 1)))
+ retval = 1;
}
else {
if ((e1->length == e2->length) &&
Show quoted text
>Audit-Trail:
>Unformatted:
>Unformatted: