From crawdad@gungnir.fnal.gov Thu May 17 11:55:23 2001
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.72.0.53])
by rt-11.mit.edu (8.9.3/8.9.3) with ESMTP id LAA14477
for <bugs@RT-11.mit.edu>; Thu, 17 May 2001 11:55:22 -0400 (EDT)
Received: from gungnir.fnal.gov (gungnir.fnal.gov [131.225.80.1])
by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id LAA03520;
Thu, 17 May 2001 11:42:30 -0400 (EDT)
Received: (from crawdad@localhost)
by gungnir.fnal.gov (8.9.1/8.9.1) id KAA22958;
Thu, 17 May 2001 10:41:51 -0500 (CDT)
Message-Id: <200105171541.KAA22958@gungnir.fnal.gov>
Date: Thu, 17 May 2001 10:41:51 -0500 (CDT)
From: crawdad@fnal.gov
Reply-To: crawdad@fnal.gov
To: krb5-bugs@mit.edu
Cc: krbdev@mit.edu
Subject: auth_to_local RULE: does not allow examination of client REALM
X-Send-Pr-Version: 3.99
System: SunOS gungnir.fnal.gov 5.5.1 Generic_103640-24 sun4u sparc SUNW,Ultra-1
Architecture: sun4
some "auth_to_local = RULE:<sed-exp>" lines in krb5.conf is worse
than useless if there is any cross-realm authentication,
because the rules apply without regard to the client's realm.
Also, if the [first part] contains a '$' followed by zero or
a negative number, the results will be unpredictable.
OTHER.REALM to be equivalent to users of the same name in my
realm by writing
auth_to_local = RULE:[1:$1@$0](.*@OTHER\.REALM)s/@.*//
but the "$0" string does not currently denote the realm and
causes unpredictable results due to insufficient bounds
checking in rule_an_to_ln().
If I simply wanted to map principals "name/special" to local
accounts "name", for all values of "name", I might want to
write
auth_to_local = RULE:[2:$1,$2](.*,special)s/,special//
but if my local realm cross-authenticates with any other
realm, matching principals in that realm also get mapped.
Index: lib/krb5/os/an_to_ln.c
===================================================================
RCS file: /cvs/cd/kerberos/src/lib/krb5/os/an_to_ln.c,v
retrieving revision 1.1.1.4
retrieving revision 1.3
diff -u -r1.1.1.4 -r1.3
--- an_to_ln.c 2001/03/12 20:24:43 1.1.1.4
+++ an_to_ln.c 2001/05/01 15:35:37 1.3
@@ -476,7 +476,7 @@
char *selstring = 0;
int num_comps, compind;
char *cout;
- krb5_data *datap;
+ krb5_const krb5_data *datap;
char *outstring;
/*
@@ -509,9 +509,11 @@
if (*current == '$') {
if ((sscanf(current+1, "%d", &compind) == 1) &&
(compind <= num_comps) &&
- (datap = krb5_princ_component(context,
- aname,
- compind-1))
+ (datap =
+ (compind > 0)
+ ? krb5_princ_component(context, aname,
+ compind-1)
+ : krb5_princ_realm(context, aname))
) {
strncpy(cout,
datap->data,
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.72.0.53])
by rt-11.mit.edu (8.9.3/8.9.3) with ESMTP id LAA14477
for <bugs@RT-11.mit.edu>; Thu, 17 May 2001 11:55:22 -0400 (EDT)
Received: from gungnir.fnal.gov (gungnir.fnal.gov [131.225.80.1])
by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id LAA03520;
Thu, 17 May 2001 11:42:30 -0400 (EDT)
Received: (from crawdad@localhost)
by gungnir.fnal.gov (8.9.1/8.9.1) id KAA22958;
Thu, 17 May 2001 10:41:51 -0500 (CDT)
Message-Id: <200105171541.KAA22958@gungnir.fnal.gov>
Date: Thu, 17 May 2001 10:41:51 -0500 (CDT)
From: crawdad@fnal.gov
Reply-To: crawdad@fnal.gov
To: krb5-bugs@mit.edu
Cc: krbdev@mit.edu
Subject: auth_to_local RULE: does not allow examination of client REALM
X-Send-Pr-Version: 3.99
Show quoted text
>Number: 957
>Category: krb5-libs
>Synopsis: auth_to_local RULE: does not allow examination of client REALM
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: change-request
>Submitter-Id: unknown
>Arrival-Date: Thu May 17 11:56:00 EDT 2001
>Last-Modified:
>Originator: Matt Crawford
>Organization:
Fermilab>Category: krb5-libs
>Synopsis: auth_to_local RULE: does not allow examination of client REALM
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: change-request
>Submitter-Id: unknown
>Arrival-Date: Thu May 17 11:56:00 EDT 2001
>Last-Modified:
>Originator: Matt Crawford
>Organization:
Show quoted text
>Release: krb5-1.2.2
>Environment:
All unix-like systems>Environment:
System: SunOS gungnir.fnal.gov 5.5.1 Generic_103640-24 sun4u sparc SUNW,Ultra-1
Architecture: sun4
Show quoted text
>Description:
Augmenting the default krb5_aname_to_localname() method withsome "auth_to_local = RULE:<sed-exp>" lines in krb5.conf is worse
than useless if there is any cross-realm authentication,
because the rules apply without regard to the client's realm.
Also, if the [first part] contains a '$' followed by zero or
a negative number, the results will be unpredictable.
Show quoted text
>How-To-Repeat:
For example, I might like to be able to consider all users inOTHER.REALM to be equivalent to users of the same name in my
realm by writing
auth_to_local = RULE:[1:$1@$0](.*@OTHER\.REALM)s/@.*//
but the "$0" string does not currently denote the realm and
causes unpredictable results due to insufficient bounds
checking in rule_an_to_ln().
If I simply wanted to map principals "name/special" to local
accounts "name", for all values of "name", I might want to
write
auth_to_local = RULE:[2:$1,$2](.*,special)s/,special//
but if my local realm cross-authenticates with any other
realm, matching principals in that realm also get mapped.
Show quoted text
>Fix:
Index: lib/krb5/os/an_to_ln.c
===================================================================
RCS file: /cvs/cd/kerberos/src/lib/krb5/os/an_to_ln.c,v
retrieving revision 1.1.1.4
retrieving revision 1.3
diff -u -r1.1.1.4 -r1.3
--- an_to_ln.c 2001/03/12 20:24:43 1.1.1.4
+++ an_to_ln.c 2001/05/01 15:35:37 1.3
@@ -476,7 +476,7 @@
char *selstring = 0;
int num_comps, compind;
char *cout;
- krb5_data *datap;
+ krb5_const krb5_data *datap;
char *outstring;
/*
@@ -509,9 +509,11 @@
if (*current == '$') {
if ((sscanf(current+1, "%d", &compind) == 1) &&
(compind <= num_comps) &&
- (datap = krb5_princ_component(context,
- aname,
- compind-1))
+ (datap =
+ (compind > 0)
+ ? krb5_princ_component(context, aname,
+ compind-1)
+ : krb5_princ_realm(context, aname))
) {
strncpy(cout,
datap->data,
Show quoted text
>Audit-Trail:
>Unformatted:
>Unformatted: