[36190] in Kerberos


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Bug / oversight in kadmind handling of ACL_LIST

daemon@ATHENA.MIT.EDU (Jorj Bauer)
Mon Jun 9 15:11:29 2014

From: Jorj Bauer <jorj@isc.upenn.edu>
To: "kerberos@mit.edu" <kerberos@mit.edu>
Date: Mon, 9 Jun 2014 19:11:14 +0000
Message-ID: <783583777A0B2B4F9B03D97FFABAA2AC187CCE15@exch-mbx01.exchange.upenn.edu>
Content-Language: en-US
Content-ID: <FF35D9FF2A640643A88F95854E0B621E@exchange.upenn.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

Hi folks,

(Please point me to another list if this is better suited elsewhere.)

src/kadmin/server/server_stubs.c has an oversight in the handling of ACL_LIST which prevents ACLs like this from functioning:

	foo/listprinc@TEST.EXAMPLE.COM        l       jorj/kadmin-test.example.com@TEST.EXAMPLE.COM

The oversight is that kadm5int_acl_check is never passed the target argument; that means that either '*' matches everything, or it fails (even if you attempt to query the given specific principal).

A simple patch corrects the behavior (this is against current master, but it's easily backported to 1.11):


--- a/src/kadmin/server/server_stubs.c
+++ b/src/kadmin/server/server_stubs.c
@@ -737,6 +737,8 @@ get_princs_2_svc(gprincs_arg *arg, struct svc_req *rqstp)
     kadm5_server_handle_t           handle;
     const char                      *errmsg = NULL;
 
+    krb5_principal                 kpr = NULL;
+
     xdr_free(xdr_gprincs_ret, &ret);
 
     if ((ret.code = new_server_handle(arg->api_version, rqstp, &handle)))
@@ -755,10 +757,12 @@ get_princs_2_svc(gprincs_arg *arg, struct svc_req *rqstp)
     if (prime_arg == NULL)
         prime_arg = "*";
 
+    /*kret = */ krb5_parse_name(handle->context, prime_arg, &kpr);
+
     if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
                                                        rqst2name(rqstp),
                                                        ACL_LIST,
-                                                       NULL,
+                                                       kpr,
                                                        NULL)) {
         ret.code = KADM5_AUTH_LIST;
         log_unauth("kadm5_get_principals", prime_arg,
@@ -777,6 +781,10 @@ get_princs_2_svc(gprincs_arg *arg, struct svc_req *rqstp)
             krb5_free_error_message(handle->context, errmsg);
 
     }
+
+    if (kpr)
+        krb5_free_principal((krb5_context) NULL, kpr);
+
     gss_release_buffer(&minor_stat, &client_name);
     gss_release_buffer(&minor_stat, &service_name);
 exit_func:



The same fundamental code appears a second time in get_pols_2_svc.

-- Jorj

-- 
Jorj Bauer
Manager of Engineering, Research and Development
Information Systems and Computing, University of Pennsylvania
215.746.3850
XMPP: jorj@upenn.edu


________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[36190] in Kerberos

Bug / oversight in kadmind handling of ACL_LIST

daemon@ATHENA.MIT.EDU (Jorj Bauer)Mon Jun 9 15:11:29 2014

daemon@ATHENA.MIT.EDU (Jorj Bauer)
Mon Jun 9 15:11:29 2014