slightly expanded wildcard support for kadm5.acl - Kerberos

This is a discussion on slightly expanded wildcard support for kadm5.acl - Kerberos ; Attached is a patch to add wildcard support at the beginning and end of kadm5.acl components. I'd love to see this or something like it get added to the standard codebase. We haven't used this in the field yet, I ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: slightly expanded wildcard support for kadm5.acl

  1. slightly expanded wildcard support for kadm5.acl


    Attached is a patch to add wildcard support at the beginning and end of
    kadm5.acl components. I'd love to see this or something like it get
    added to the standard codebase. We haven't used this in the field yet,
    I wanted to get people's opinions first. I may not have considered all
    of the implications (please let me know if I'm missing something bad).

    We've run into a couple situations here where it would be really handy
    to have this.

    Example 1:
    Temporary guest accounts on a system that doesn't support instances.
    This resulted in something similar to guest[001-100] prinicpals and a
    hundred kadm5.acl entries so the event coordinator could reset
    passwords. This is much more concise:

    guest/admin@REALM.COM cmi guest*@REALM.COM


    Example 2:
    Multiple site admins using a central Kerberos realm. In this case you
    can give each site admin control to create/edit host keys in their own
    subdomain.

    site1/admin@REALM.COM * host/*.site1.realm.com@REALM.COM
    site2/admin@REALM.COM * host/*.site2.realm.com@REALM.COM


    -Mike

    PS. During my testing I noticed that kadmind segfaults if you forget to
    add the ACL permissions to a line in kadm5.acl.

    diff -Nur krb5-1.6/src/lib/kadm5/srv/server_acl.c krb5-1.6.dop/src/lib/kadm5/srv/server_acl.c
    --- krb5-1.6/src/lib/kadm5/srv/server_acl.c 2006-06-16 01:58:42.000000000 -0500
    +++ krb5-1.6.dop/src/lib/kadm5/srv/server_acl.c 2007-03-30 14:57:19.000000000 -0500
    @@ -543,7 +543,8 @@
    /*
    * kadm5int_acl_match_data() - See if two data entries match.
    *
    - * Wildcarding is only supported for a whole component.
    + * Wildcarding is only supported at the beginning, end, or as a
    + * whole component.
    */
    static krb5_boolean
    kadm5int_acl_match_data(e1, e2, targetflag, ws)
    @@ -552,12 +553,37 @@
    wildstate_t *ws;
    {
    krb5_boolean retval;
    + int cmplen=0;
    + int e2offset;
    + int e1offset;

    DPRINT(DEBUG_CALLS, acl_debug_level,
    ("* acl_match_entry(%s, %s)\n", e1->data, e2->data));
    retval = 0;
    - if (!strncmp(e1->data, "*", e1->length)) {
    - retval = 1;
    +
    + if(strchr(e1->data, '*')){
    + if(e1->length == 1){
    + /* whole component matches wildcard */
    + retval = 1;
    +
    + }else if(e1->data[0] == '*'){
    + /* wildcard at beginning of component */
    + cmplen = e1->length - 1;
    + e2offset = e2->length - cmplen;
    + e1offset = 1;
    +
    + }else if(e1->data[e1->length-1] == '*'){
    + /* wildcard at end of component */
    + cmplen = e1->length - 1;
    + e2offset=0;
    + e1offset=0;
    + }
    +
    + /* Compare beginning or end of e2->data depending on offsets above */
    + if((strncmp(e1->data+e1offset, e2->data+e2offset, cmplen) == 0) && (e2offset >= 0) && (cmplen != 0)){
    + retval = 1;
    + }
    +
    if (ws && !targetflag) {
    if (ws->nwild >= 9) {
    DPRINT(DEBUG_ACL, acl_debug_level,

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: slightly expanded wildcard support for kadm5.acl

    As is typical, attached is the correct version of the patch with one
    less bug. Sorry about that.

    -Mike

    Mike Dopheide wrote:
    >
    > Attached is a patch to add wildcard support at the beginning and end of
    > kadm5.acl components. I'd love to see this or something like it get
    > added to the standard codebase. We haven't used this in the field yet,
    > I wanted to get people's opinions first. I may not have considered all
    > of the implications (please let me know if I'm missing something bad).
    >
    > We've run into a couple situations here where it would be really handy
    > to have this.
    >
    > Example 1:
    > Temporary guest accounts on a system that doesn't support instances.
    > This resulted in something similar to guest[001-100] prinicpals and a
    > hundred kadm5.acl entries so the event coordinator could reset
    > passwords. This is much more concise:
    >
    > guest/admin@REALM.COM cmi guest*@REALM.COM
    >
    >
    > Example 2:
    > Multiple site admins using a central Kerberos realm. In this case you
    > can give each site admin control to create/edit host keys in their own
    > subdomain.
    >
    > site1/admin@REALM.COM * host/*.site1.realm.com@REALM.COM
    > site2/admin@REALM.COM * host/*.site2.realm.com@REALM.COM
    >
    >
    > -Mike
    >
    > PS. During my testing I noticed that kadmind segfaults if you forget to
    > add the ACL permissions to a line in kadm5.acl.
    >
    >
    > ------------------------------------------------------------------------
    >
    > diff -Nur krb5-1.6/src/lib/kadm5/srv/server_acl.c krb5-1.6.dop/src/lib/kadm5/srv/server_acl.c
    > --- krb5-1.6/src/lib/kadm5/srv/server_acl.c 2006-06-16 01:58:42.000000000 -0500
    > +++ krb5-1.6.dop/src/lib/kadm5/srv/server_acl.c 2007-03-30 14:57:19.000000000 -0500
    > @@ -543,7 +543,8 @@
    > /*
    > * kadm5int_acl_match_data() - See if two data entries match.
    > *
    > - * Wildcarding is only supported for a whole component.
    > + * Wildcarding is only supported at the beginning, end, or as a
    > + * whole component.
    > */
    > static krb5_boolean
    > kadm5int_acl_match_data(e1, e2, targetflag, ws)
    > @@ -552,12 +553,37 @@
    > wildstate_t *ws;
    > {
    > krb5_boolean retval;
    > + int cmplen=0;
    > + int e2offset;
    > + int e1offset;
    >
    > DPRINT(DEBUG_CALLS, acl_debug_level,
    > ("* acl_match_entry(%s, %s)\n", e1->data, e2->data));
    > retval = 0;
    > - if (!strncmp(e1->data, "*", e1->length)) {
    > - retval = 1;
    > +
    > + if(strchr(e1->data, '*')){
    > + if(e1->length == 1){
    > + /* whole component matches wildcard */
    > + retval = 1;
    > +
    > + }else if(e1->data[0] == '*'){
    > + /* wildcard at beginning of component */
    > + cmplen = e1->length - 1;
    > + e2offset = e2->length - cmplen;
    > + e1offset = 1;
    > +
    > + }else if(e1->data[e1->length-1] == '*'){
    > + /* wildcard at end of component */
    > + cmplen = e1->length - 1;
    > + e2offset=0;
    > + e1offset=0;
    > + }
    > +
    > + /* Compare beginning or end of e2->data depending on offsets above */
    > + if((strncmp(e1->data+e1offset, e2->data+e2offset, cmplen) == 0) && (e2offset >= 0) && (cmplen != 0)){
    > + retval = 1;
    > + }
    > +
    > if (ws && !targetflag) {
    > if (ws->nwild >= 9) {
    > DPRINT(DEBUG_ACL, acl_debug_level,
    >
    >
    > ------------------------------------------------------------------------
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos


    diff -Nur krb5-1.6/src/lib/kadm5/srv/server_acl.c krb5-1.6.dop/src/lib/kadm5/srv/server_acl.c
    --- krb5-1.6/src/lib/kadm5/srv/server_acl.c 2006-06-16 01:58:42.000000000 -0500
    +++ krb5-1.6.dop/src/lib/kadm5/srv/server_acl.c 2007-03-30 16:29:24.000000000 -0500
    @@ -543,7 +543,8 @@
    /*
    * kadm5int_acl_match_data() - See if two data entries match.
    *
    - * Wildcarding is only supported for a whole component.
    + * Wildcarding is only supported at the beginning, end, or as a
    + * whole component.
    */
    static krb5_boolean
    kadm5int_acl_match_data(e1, e2, targetflag, ws)
    @@ -552,12 +553,41 @@
    wildstate_t *ws;
    {
    krb5_boolean retval;
    + int cmplen=0;
    + int e2offset;
    + int e1offset;

    DPRINT(DEBUG_CALLS, acl_debug_level,
    ("* acl_match_entry(%s, %s)\n", e1->data, e2->data));
    retval = 0;
    - if (!strncmp(e1->data, "*", e1->length)) {
    - retval = 1;
    +
    + if(strchr(e1->data, '*')){
    + if(e1->length == 1){
    + /* whole component matches wildcard */
    + retval = 1;
    +
    + }else if(e1->data[0] == '*'){
    + /* wildcard at beginning of component */
    + cmplen = e1->length - 1;
    + e2offset = e2->length - cmplen;
    + e1offset = 1;
    +
    + }else if(e1->data[e1->length-1] == '*'){
    + /* wildcard at end of component */
    + cmplen = e1->length - 1;
    + if(e2->length < cmplen){
    + e2offset = -1;
    + }else{
    + e2offset=0;
    + e1offset=0;
    + }
    + }
    +
    + /* Compare beginning or end of e2->data depending on offsets above */
    + if((strncmp(e1->data+e1offset, e2->data+e2offset, cmplen) == 0) && (e2offset >= 0) && (cmplen != 0)){
    + retval = 1;
    + }
    +
    if (ws && !targetflag) {
    if (ws->nwild >= 9) {
    DPRINT(DEBUG_ACL, acl_debug_level,

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread