[3212] in Kerberos-V5-bugs
krb5-libs/957: auth_to_local RULE: does not allow examination of client REALM
daemon@ATHENA.MIT.EDU (crawdad@fnal.gov)
Thu May 17 11:56:09 2001
Resent-From: gnats@rt-11.mit.edu (GNATS Management)
Resent-To: krb5-unassigned@rt-11.mit.edu
Resent-Reply-To: krb5-bugs@MIT.EDU, crawdad@fnal.gov
Message-Id: <200105171541.KAA22958@gungnir.fnal.gov>
Date: Thu, 17 May 2001 10:41:51 -0500 (CDT)
From: crawdad@fnal.gov
Reply-To: crawdad@fnal.gov
To: krb5-bugs@mit.edu
Cc: krbdev@mit.edu
>Number: 957
>Category: krb5-libs
>Synopsis: auth_to_local RULE: does not allow examination of client REALM
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: change-request
>Submitter-Id: unknown
>Arrival-Date: Thu May 17 11:56:00 EDT 2001
>Last-Modified:
>Originator: Matt Crawford
>Organization:
Fermilab
>Release: krb5-1.2.2
>Environment:
All unix-like systems
System: SunOS gungnir.fnal.gov 5.5.1 Generic_103640-24 sun4u sparc SUNW,Ultra-1
Architecture: sun4
>Description:
Augmenting the default krb5_aname_to_localname() method with
some "auth_to_local = RULE:<sed-exp>" lines in krb5.conf is worse
than useless if there is any cross-realm authentication,
because the rules apply without regard to the client's realm.
Also, if the [first part] contains a '$' followed by zero or
a negative number, the results will be unpredictable.
>How-To-Repeat:
For example, I might like to be able to consider all users in
OTHER.REALM to be equivalent to users of the same name in my
realm by writing
auth_to_local = RULE:[1:$1@$0](.*@OTHER\.REALM)s/@.*//
but the "$0" string does not currently denote the realm and
causes unpredictable results due to insufficient bounds
checking in rule_an_to_ln().
If I simply wanted to map principals "name/special" to local
accounts "name", for all values of "name", I might want to
write
auth_to_local = RULE:[2:$1,$2](.*,special)s/,special//
but if my local realm cross-authenticates with any other
realm, matching principals in that realm also get mapped.
>Fix:
Index: lib/krb5/os/an_to_ln.c
===================================================================
RCS file: /cvs/cd/kerberos/src/lib/krb5/os/an_to_ln.c,v
retrieving revision 1.1.1.4
retrieving revision 1.3
diff -u -r1.1.1.4 -r1.3
--- an_to_ln.c 2001/03/12 20:24:43 1.1.1.4
+++ an_to_ln.c 2001/05/01 15:35:37 1.3
@@ -476,7 +476,7 @@
char *selstring = 0;
int num_comps, compind;
char *cout;
- krb5_data *datap;
+ krb5_const krb5_data *datap;
char *outstring;
/*
@@ -509,9 +509,11 @@
if (*current == '$') {
if ((sscanf(current+1, "%d", &compind) == 1) &&
(compind <= num_comps) &&
- (datap = krb5_princ_component(context,
- aname,
- compind-1))
+ (datap =
+ (compind > 0)
+ ? krb5_princ_component(context, aname,
+ compind-1)
+ : krb5_princ_realm(context, aname))
) {
strncpy(cout,
datap->data,
>Audit-Trail:
>Unformatted:
