[29465] in CVS-changelog-for-Kerberos-V5
krb5 commit [krb5-1.14]: Fix kadmin min_life check with nonexistent
daemon@ATHENA.MIT.EDU (Tom Yu)
Wed Jul 6 16:30:50 2016
Date: Wed, 6 Jul 2016 16:30:47 -0400
From: Tom Yu <tlyu@mit.edu>
Message-Id: <201607062030.u66KUl2B007610@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/ed725b8e0f43d8e6cf0ebe4eea89edabef1eba3d
commit ed725b8e0f43d8e6cf0ebe4eea89edabef1eba3d
Author: Greg Hudson <ghudson@mit.edu>
Date: Wed Jun 8 00:00:55 2016 -0400
Fix kadmin min_life check with nonexistent policy
In kadmind, self-service key changes require a check against the
policy's min_life field. If the policy does not exist, this check
should succeed according to the semantics introduced by ticket #7385.
Fix check_min_life() to return 0 if kadm5_get_policy() returns
KADM5_UNK_POLICY. Reported by John Devitofranceschi.
(cherry picked from commit 5fca279ca4d18f1b5798847a98e7df8737d2eb7c)
ticket: 8427
version_fixed: 1.14.3
src/kadmin/server/misc.c | 4 +++-
src/tests/t_policy.py | 5 ++++-
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/src/kadmin/server/misc.c b/src/kadmin/server/misc.c
index 192145c..27a6376 100644
--- a/src/kadmin/server/misc.c
+++ b/src/kadmin/server/misc.c
@@ -177,10 +177,12 @@ check_min_life(void *server_handle, krb5_principal principal,
if(ret)
return ret;
if(princ.aux_attributes & KADM5_POLICY) {
+ /* Look up the policy. If it doesn't exist, treat this principal as if
+ * it had no policy. */
if((ret=kadm5_get_policy(handle->lhandle,
princ.policy, &pol)) != KADM5_OK) {
(void) kadm5_free_principal_ent(handle->lhandle, &princ);
- return ret;
+ return (ret == KADM5_UNK_POLICY) ? 0 : ret;
}
if((now - princ.last_pwd_change) < pol.pw_min_life &&
!(princ.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
diff --git a/src/tests/t_policy.py b/src/tests/t_policy.py
index 1fa5106..776de59 100755
--- a/src/tests/t_policy.py
+++ b/src/tests/t_policy.py
@@ -2,7 +2,7 @@
from k5test import *
import re
-realm = K5Realm(create_host=False)
+realm = K5Realm(create_host=False, start_kadmind=True)
# Test password quality enforcement.
realm.run([kadminl, 'addpol', '-minlength', '6', '-minclasses', '2', 'pwpol'])
@@ -39,6 +39,9 @@ if 'Policy: newpol [does not exist]\n' not in out:
realm.run([kadminl, 'modprinc', '-policy', 'newpol', 'pwuser'])
# pwuser should allow reuse of the current password since newpol doesn't exist.
realm.run([kadminl, 'cpw', '-pw', '3rdpassword', 'pwuser'])
+# Regression test for #8427 (min_life check with nonexistent policy).
+realm.run([kadmin, '-p', 'pwuser', '-w', '3rdpassword', 'cpw', '-pw',
+ '3rdpassword', 'pwuser'])
# Create newpol and verify that it is enforced.
realm.run([kadminl, 'addpol', '-minlength', '3', 'newpol'])
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5