[36195] in Kerberos
Re: Bug / oversight in kadmind handling of ACL_LIST
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Jun 9 16:19:39 2014
Message-ID: <53961279.1080308@mit.edu>
Date: Mon, 09 Jun 2014 16:00:57 -0400
From: Greg Hudson <ghudson@mit.edu>
MIME-Version: 1.0
To: Jorj Bauer <jorj@isc.upenn.edu>, "kerberos@mit.edu" <kerberos@mit.edu>
In-Reply-To: <783583777A0B2B4F9B03D97FFABAA2AC187CCE15@exch-mbx01.exchange.upenn.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 06/09/2014 03:11 PM, Jorj Bauer wrote:
> src/kadmin/server/server_stubs.c has an oversight in the handling of ACL_LIST which prevents ACLs like this from functioning:
I think that is deliberate, not an oversight. The argument to
get_princs is a pattern, not a principal name; parsing it as a principal
name and matching it against the ACL target pattern would have fuzzy
semantics at best.
I do see that our documentation uses list permissions in an example with
a target principal, which is deceptive. We should be explicit that list
permission is all or nothing. I will file an issue.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
