[2024] in Kerberos_V5_Development
critical: kadmind ACL processing totally broken
daemon@ATHENA.MIT.EDU (hartmans@MIT.EDU)
Tue Nov 26 01:59:02 1996
From: hartmans@MIT.EDU
Date: Tue, 26 Nov 1996 06:58:54 GMT
To: krb5-bugs@MIT.EDU
Reply-To: hartmans@MIT.EDU
Cc: krbdev@MIT.EDU
>Submitter-Id: mit
>Originator: Sam Hartman
>Organization:
mit
>Confidential: no
>Synopsis: kadmind ACL processing totally broken
>Severity: critical
>Priority: high
>Category: krb5-admin
>Class: sw-bug
>Release: 1.0-development
>Environment:
System: IRIX opus 5.3 11091812 IP22 mips
>Description:
Barry's patch to kadmind broke the ACL handling so that it
oesn't work on any platform; this breaks all tests besides kpasswd ,
and will fail in release environments; this bug is sufficient to cause
a thaw.
>How-To-Repeat:
gmake[3]: Entering directory `/var/tmp/krb5/build/lib/rpc/unit-test'
./../../../kadmin/testing/scripts/env-setup.sh ../../../../krb5-1.0/src/lib/rpc/unit-test/../../../kadmin/testing/scripts/start_servers
RPC_TEST_SRVTAB=/tmp/rpc_test_v5srvtab ./../../../kadmin/testing/scripts/env-setup.sh ../../../../krb5-1.0/src/lib/rpc/unit-test/rpc_test_setup.sh
ERROR OVSEC_KADM_AUTH_ADD {Operation requires ``add'' privilege}
ERROR KADM5_AUTH_CHANGEPW {Operation requires ``change-password'' privilege}
ERROR OVSEC_KADM_AUTH_ADD {Operation requires ``add'' privilege}
ERROR KADM5_AUTH_CHANGEPW {Operation requires ``change-password'' privilege}
RPC_TEST_SRVTAB=/tmp/rpc_test_v5srvtab ./../../../kadmin/testing/scripts/env-setup.sh \
runtest --debug --srcdir ../../../../krb5-1.0/src/lib/rpc/unit-test --host mips-sgi-irix5.3 SERVER=./server CLIENT=./client \
KINIT=./../../../clients/kinit/kinit \
KDESTROY=./../../../clients/kdestroy/kdestroy \
PROT=-t --tool rpc_test
Test Run By hartmans on Tue Nov 26 00:00:00 EST 1996
Native configuration is mips-sgi-irix5.3
=== rpc_test tests ===
Running ../../../../krb5-1.0/src/lib/rpc/unit-test/rpc_test.0/expire.exp ...
Running ../../../../krb5-1.0/src/lib/rpc/unit-test/rpc_test.0/fullrun.exp ...
Running ../../../../krb5-1.0/src/lib/rpc/unit-test/rpc_test.0/gsserr.exp ...
FAIL: gss err: timeout waiting for server output
Nov 26 01:27:01 opus kadmind[19106](Notice): Reques
t: kadm5_init (V1), admin@SECURE-TEST.OV.COM, success, client=admin@SECURE-TEST.OV.COM, service=ovsec_adm/admin@SECURE-TEST.OV.COM, addr=18.70.0.252
Nov 26 01:27:01 opus kadmind[19106](Notice): Unauthorized request: kadm5_create_principal, server/opus.mit.edu@SECURE-TEST.OV.COM, client=admin@SECURE-TEST.OV.COM, service=ovsec_adm/admin@SECURE-TEST.OV.COM, addr=18.70.0.252
Nov 26 01:27:01 opus kadmind[19106](Notice): Unauthorized request: kadm5_randkey_principal (V1), server/opus.mit.edu@SECURE-TEST.OV.COM, client=admin@SECURE-TEST.OV.COM, service=ovsec_adm/admin@SECURE-TEST.OV.COM, addr=18.70.0.252
Nov 26 01:27:01 opus kadmind[19106](Notice): Unauthorized request: kadm5_create_principal, notserver/opus.mit.edu@SECURE-TEST.OV.COM, client=admin@SECURE-TEST.OV.COM, service=ovsec_adm/admin@SECURE-TEST.OV.COM, addr=18.70.0.252
Nov 26 01:27:01 opus kadmind[19106](Notice): Unauthorized request: kadm5_randkey_principal (V1), notserver/opus.mit.edu@SECURE-TEST.OV.COM, client=admin@SECURE-TEST.OV.COM, service=ovsec_adm/admin@SECURE-TEST.OV.COM, addr=18.70.0.252
Nov 26 01:27:05 opus krb5kdc[19104](info): AS_REQ 18.70.0.252(1750): ISSUE: authtime 848989625, testuser@SECURE-TEST.OV.COM for krbtgt/SECURE-TEST.OV.COM@SECURE-TEST.OV.COM
Here is the ACL:
se
>Fix:
Thanks to Marc, I understand the problem. Basically, Barry's
patches replaces the catchall ACL entry with a empty string, which
does not parse. This causes kadmind to assume that there is a syntax
error in the ACL file (the catchall entry is always parsed even if
there are other entries.) This causes the brilliantly designed ACL
parsing routines to free the entire ACL and only accept password
changing requests.
You should change the catchal entry to "* O" or something like that
and consider redesigning this vestage of the Beta5 admin system.
