[2320] in Kerberos_V5_Development
Re: request comments on new ACL file format
daemon@ATHENA.MIT.EDU (Barry Jaspan)
Tue Mar 25 11:54:07 1997
Date: Tue, 25 Mar 1997 16:48:55 GMT
From: "Barry Jaspan" <bjaspan@MIT.EDU>
To: tlyu@MIT.EDU
Cc: krbdev@MIT.EDU
In-Reply-To: <9703242203.AA23893@tesla-coil.MIT.EDU> (message from Tom Yu on
Mon, 24 Mar 1997 17:03:07 -0500)
My comments:
o I think using < and > to indicate groups is awful. Subsequent mail
makes it look like you've switched to the prefix "group"; much better.
o Add a new privilege: the ability to set arbitrary keys. This will
allow a user to call kadm5_setkey_principal, and should be separate
from all other privileges.
o FYI: Currently, the admin server enforces "users are allowed to the
X on themselves" (e.g. change password) in code, not via the ACL.
Doing it in the ACL is probably better, but will require minor changes
in the dispatch function.
o The admin server also enforces different rules depending on whether
the client request is authenticated to kadmin/admin or
kadmin/changepw. The rationale is that kadmin/changepw has the "issue
tickets for this principal even when the requesting client principal's
password is expired" bit, so that password changes are always
possible. However, we do *not* want to allow admin principals with
expired passwords to perform normal admin operations; therefore,
requests authenticated to kadmin/changepw are not allowed to do most
things. Probably this logic should remain in C code, not the ACL,
since the set of things expired princs can do is small. However,
someone should check the kadm5 spec for what those things are and make
sure it is all consistent.
o I assume the permission
C = Change key, optionally immediately extract key
means you can call either chpass_principal or randkey_principal, given
their current implementations. Note that the permission
E = Extract current key
does not correspond to any functionality currently in the admin
server. This functionality is potentially more dangerous even than
setkey_principal, and to date no one has made a compelling argument
that it is necessary.
o The group membership, globbing, and acl matching semantics seem very
flexible and powerful. You should think very hard to make sure that
all cases are well defined and decidable, though. Try to find a case
that isn't.
Barry
