[738] in Zephyr_Bugs
Re: ACL authorization
daemon@ATHENA.MIT.EDU (Greg Hudson)
Wed Jan 24 03:46:46 1996
Date: Wed, 24 Jan 1996 03:46:36 -0500
From: Greg Hudson <ghudson@MIT.EDU>
To: Terry Hung <terryh@MAILBOX.SLAC.Stanford.EDU>
Cc: zephyr-bugs@MIT.EDU
In-Reply-To: "[685] in Zephyr_Bugs"
Hi. About six months ago, you wrote:
> 1. add "test:" to class-registry.acl
> 2. add "*.*@*" to iui-test.acl, iws-test.acl, sub-test.acl,
> and xmt-test.acl. (grant access to all).
> 3. run zephyrd and zhm and zwgc.
> 4. zwrite -c test
> This worked. Then we changed ACL files to either "user.*@*",
> "user@*", "user@cadhub.slac.stanford.edu", or
> "user@slac.stanford.edu", they all failed. Is this caused by the
> fact that we are not using Kerboros here? Thanks for any
> suggestion!
At the time you wrote this, I didn't have time to set up a realm and
test changes like this, and then I took time off to finish school.
You may or may not still be using zephyr, but for archival purposes I
should explain why this problem happens.
We've recently had some problems with acls, and by looking at the code
I found that they're broken in a couple of ways:
* Under SunOS and some other operating systems, access()
always returns true for root on a local filesystem, even if
the file being checked for doesn't exist. Thus, if an acl
file for a particular operation does not exist, nobody is
able to perform the operation (when it's intended that
everyone should be able to). The code should use stat()
instead. This bug is, in all likelihood, not the cause of
the problems you're having.
* The code for checking acls checks a particular
principal.instance@realm against four possible acl strings:
principal.instance@realm
principal.*@realm
*.*@realm
*.*@*
In particular, it does not try principal.*@*.
user.*@local-realm would have worked, assuming local-realm
is the name of your faked realm. (If you're using Kerberos,
user.*@your-realm would have worked.)
Both of these bugs ought to be fixed in the next release. (They're
relatively easy to fix by hand; see acl_check() in server/acl_files.c
in the source tree.)
