[2519] in Kerberos-V5-bugs
krb5-admin/242: critical: kadmind ACL processing totally broken
daemon@ATHENA.MIT.EDU (hartmans@MIT.EDU)
Tue Nov 26 02:09:09 1996
Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: bjaspan@MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, hartmans@MIT.EDU
Date: Tue, 26 Nov 1996 06:58:54 GMT
From: hartmans@MIT.EDU
Reply-To: hartmans@MIT.EDU
To: krb5-bugs@MIT.EDU
Cc: krbdev@MIT.EDU
>Number: 242
>Category: krb5-admin
>Synopsis: kadmind ACL processing totally broken
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: bjaspan
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Tue Nov 26 02:09:01 EST 1996
>Last-Modified:
>Originator: Sam Hartman
>Organization:
mit
>Release: 1.0-development
>Environment:
System: IRIX opus 5.3 11091812 IP22 mips
>Description:
Barry's patch to kadmind broke the ACL handling so that it
oesn't work on any platform; this breaks all tests besides kpasswd ,
and will fail in release environments; this bug is sufficient to cause
a thaw.
>How-To-Repeat:
gmake[3]: Entering directory `/var/tmp/krb5/build/lib/rpc/unit-test'
./../../../kadmin/testing/scripts/env-setup.sh ../../../../krb5-1.0/src/lib/rpc/unit-test/../../../kadmin/testing/scripts/start_servers
RPC_TEST_SRVTAB=/tmp/rpc_test_v5srvtab ./../../../kadmin/testing/scripts/env-setup.sh ../../../../krb5-1.0/src/lib/rpc/unit-test/rpc_test_setup.sh
ERROR OVSEC_KADM_AUTH_ADD {Operation requires ``add'' privilege}
ERROR KADM5_AUTH_CHANGEPW {Operation requires ``change-password'' privilege}
ERROR OVSEC_KADM_AUTH_ADD {Operation requires ``add'' privilege}
ERROR KADM5_AUTH_CHANGEPW {Operation requires ``change-password'' privilege}
RPC_TEST_SRVTAB=/tmp/rpc_test_v5srvtab ./../../../kadmin/testing/scripts/env-setup.sh \
runtest --debug --srcdir ../../../../krb5-1.0/src/lib/rpc/unit-test --host mips-sgi-irix5.3 SERVER=./server CLIENT=./client \
KINIT=./../../../clients/kinit/kinit \
KDESTROY=./../../../clients/kdestroy/kdestroy \
PROT=-t --tool rpc_test
Test Run By hartmans on Tue Nov 26 00:00:00 EST 1996
Native configuration is mips-sgi-irix5.3
=== rpc_test tests ===
Running ../../../../krb5-1.0/src/lib/rpc/unit-test/rpc_test.0/expire.exp ...
Running ../../../../krb5-1.0/src/lib/rpc/unit-test/rpc_test.0/fullrun.exp ...
Running ../../../../krb5-1.0/src/lib/rpc/unit-test/rpc_test.0/gsserr.exp ...
FAIL: gss err: timeout waiting for server output
Nov 26 01:27:01 opus kadmind[19106](Notice): Reques
t: kadm5_init (V1), admin@SECURE-TEST.OV.COM, success, client=admin@SECURE-TEST.OV.COM, service=ovsec_adm/admin@SECURE-TEST.OV.COM, addr=18.70.0.252
Nov 26 01:27:01 opus kadmind[19106](Notice): Unauthorized request: kadm5_create_principal, server/opus.mit.edu@SECURE-TEST.OV.COM, client=admin@SECURE-TEST.OV.COM, service=ovsec_adm/admin@SECURE-TEST.OV.COM, addr=18.70.0.252
Nov 26 01:27:01 opus kadmind[19106](Notice): Unauthorized request: kadm5_randkey_principal (V1), server/opus.mit.edu@SECURE-TEST.OV.COM, client=admin@SECURE-TEST.OV.COM, service=ovsec_adm/admin@SECURE-TEST.OV.COM, addr=18.70.0.252
Nov 26 01:27:01 opus kadmind[19106](Notice): Unauthorized request: kadm5_create_principal, notserver/opus.mit.edu@SECURE-TEST.OV.COM, client=admin@SECURE-TEST.OV.COM, service=ovsec_adm/admin@SECURE-TEST.OV.COM, addr=18.70.0.252
Nov 26 01:27:01 opus kadmind[19106](Notice): Unauthorized request: kadm5_randkey_principal (V1), notserver/opus.mit.edu@SECURE-TEST.OV.COM, client=admin@SECURE-TEST.OV.COM, service=ovsec_adm/admin@SECURE-TEST.OV.COM, addr=18.70.0.252
Nov 26 01:27:05 opus krb5kdc[19104](info): AS_REQ 18.70.0.252(1750): ISSUE: authtime 848989625, testuser@SECURE-TEST.OV.COM for krbtgt/SECURE-TEST.OV.COM@SECURE-TEST.OV.COM
Here is the ACL:
se
>Fix:
Thanks to Marc, I understand the problem. Basically, Barry's
patches replaces the catchall ACL entry with a empty string, which
does not parse. This causes kadmind to assume that there is a syntax
error in the ACL file (the catchall entry is always parsed even if
there are other entries.) This causes the brilliantly designed ACL
parsing routines to free the entire ACL and only accept password
changing requests.
You should change the catchal entry to "* O" or something like that
and consider redesigning this vestage of the Beta5 admin system.
>Audit-Trail:
>Unformatted: