[3140] in Kerberos-V5-bugs
krb5-admin/777: kadm5.acl too generous with permissions on POLICIES
daemon@ATHENA.MIT.EDU (crawdad@fnal.gov)
Tue Oct 26 18:54:19 1999
Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: krb5-unassigned@RT-11.MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, crawdad@gungnir.fnal.gov
Message-Id: <199910262213.RAA20271@gungnir.fnal.gov>
Date: Tue, 26 Oct 1999 17:13:46 -0500 (CDT)
From: crawdad@fnal.gov
Reply-To: crawdad@gungnir.fnal.gov
To: krb5-bugs@MIT.EDU
Cc: krbdev@MIT.EDU, crawdad@fnal.gov
>Number: 777
>Category: krb5-admin
>Synopsis: add/delete/modify permission on ANY princ => ALL policies
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Tue Oct 26 18:54:00 EDT 1999
>Last-Modified:
>Originator: Matt Crawford
>Organization:
Fermilab
>Release: krb5-1.0.6 krb5-1.1
>Environment:
System: SunOS gungnir.fnal.gov 5.5.1 Generic_103640-24 sun4u sparc SUNW,Ultra-1
Architecture: sun4
>Description:
If a subject principal P has add, delete, modify or inquire
privilege for any target principal T, then P can perform
the corresponding operation (a, d, m, i) on all policies.
This applies to 1.0.6 and 1.1.
>How-To-Repeat:
Add a line "name@REALM d name@REALM" to kadm5.acl and, as that
principal, delete a policy. Use caution.
Specific example:
...kadm5.acl contains "person@REALM acdi person/cron@REALM"...
% kadmin -p person
Enter password:
kadmin: addpol -maxlife "3 days" -minlength 27 -minclasses 5 sillypol
kadmin: listpols
get_policies: Operation requires ``list'' privilege while retrieving list.
kadmin: getpol sillypol
Policy: sillypol
Maximum password life: 259200
Minimum password life: 0
Minimum password length: 27
Minimum number of password character classes: 5
Number of old keys kept: 1
Reference count: 0
kadmin: getpol default
Policy: default
Maximum password life: 34560000
Minimum password life: 172800
Minimum password length: 10
Minimum number of password character classes: 2
Number of old keys kept: 5
Reference count: 31
kadmin: delpol sillypol
Are you sure you want to delete the policy "sillypol"? (yes/no): yes
kadmin: getpol sillypol
get_policy: Policy does not exist while retrieving policy "sillypol".
kadmin: q
>Fix:
Workaround: if any such permissions must be given, precede them by
a negative permission entry "name@REALM ADMCIL no/such/princ@REALM".
Illustration:
...kadm5.acl now countains "person@REALM ADMCIL no/such/princ@REALM"
before the above entry...
% kadmin -p person
Enter password:
kadmin: addpol -maxlife "3 days" -minlength 27 -minclasses 5 sillypol
add_policy: Operation requires ``add'' privilege while creating policy "sillypol".
kadmin: q
Better fix: in acl_find_entry(), if dest_princ is NULL, accept
only a match with entry->ae_target NULL or "*".
>Audit-Trail:
>Unformatted:
