[36414] in Kerberos
Simple ACL wildcard patch
daemon@ATHENA.MIT.EDU (Kenneth MacDonald)
Fri Aug 29 05:55:07 2014
From: Kenneth MacDonald <Kenneth.MacDonald@ed.ac.uk>
To: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: multipart/mixed; boundary="=-XE2c+Z9Wq1/SggWpASrz"
Date: Fri, 29 Aug 2014 10:54:42 +0100
Message-ID: <1409306082.5846.119.camel@ion.is.ed.ac.uk>
Mime-Version: 1.0
Errors-To: kerberos-bounces@mit.edu
--=-XE2c+Z9Wq1/SggWpASrz
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
There have been several requests and patches proposed to add support for
some kind of extended wildcard matching in ACLs for kadmind.
I have deployed this simple patch (attached) that checks for an asterisk
at the beginning of the target, but followed by a non-digit. It then
matches on the rest of the target.
Hence this ACL ...
*/dept.admin@TEST.REALM * */*.dept.test.realm@TEST.REALM
... allows all admin principals from Dept "dept" to manage instance
principals for hosts in their DNS domain in our central realm. This has
freed us up from manually creating thousands of principals on behalf of
departments, or writing a complex devolved web front end.
Is this patch small and simple enough to form the basis of a change to
the core code? If so, I'll happily patch up the documentation and
prepare it against trunk.
Cheers,
Kenny.
--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
--=-XE2c+Z9Wq1/SggWpASrz
Content-Disposition: attachment; filename="krb5-1.11.3-wildcard_target.patch"
Content-Type: text/x-patch; name="krb5-1.11.3-wildcard_target.patch";
charset="UTF-8"
Content-Transfer-Encoding: 7bit
diff -ur krb5-1.11.3.orig/src/lib/kadm5/srv/server_acl.c krb5-1.11.3/src/lib/kadm5/srv/server_acl.c
--- krb5-1.11.3.orig/src/lib/kadm5/srv/server_acl.c 2013-06-03 22:39:43.000000000 +0100
+++ krb5-1.11.3/src/lib/kadm5/srv/server_acl.c 2013-07-15 15:13:40.000000000 +0100
@@ -586,6 +586,17 @@
retval = 1;
}
+ else if (targetflag && (e1->length > 1) && (e1->data[0] == '*' )) {
+ /* Target component starts with an asterisk, but not followed
+ by a decimal digit, so match on everything after the
+ asterisk. */
+ char *p;
+ if (p = strstr(e2->data, e1->data+1)) {
+ if ((strlen(p) == (e1->length-1)) && !strncmp(e1->data+1, p, strlen(p))) {
+ retval = 1;
+ }
+ }
+ }
else {
if ((e1->length == e2->length) &&
(!strncmp(e1->data, e2->data, e1->length)))
--=-XE2c+Z9Wq1/SggWpASrz
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--=-XE2c+Z9Wq1/SggWpASrz--
