Re: slightly expanded wildcard support for kadm5.acl

Mike Dopheide Fri, 30 Mar 2007 13:38:54 -0800

As is typical, attached is the correct version of the patch with oneless bug. Sorry about that.


-Mike


Mike Dopheide wrote:

Attached is a patch to add wildcard support at the beginning and end ofkadm5.acl components. I'd love to see this or something like it getadded to the standard codebase. We haven't used this in the field yet,I wanted to get people's opinions first. I may not have considered allof the implications (please let me know if I'm missing something bad).
We've run into a couple situations here where it would be really handyto have this.
Example 1:
Temporary guest accounts on a system that doesn't support instances.This resulted in something similar to guest[001-100] prinicpals and ahundred kadm5.acl entries so the event coordinator could resetpasswords. This is much more concise:
guest/[EMAIL PROTECTED]    cmi    [EMAIL PROTECTED]


Example 2:
Multiple site admins using a central Kerberos realm. In this case youcan give each site admin control to create/edit host keys in their ownsubdomain.
site1/[EMAIL PROTECTED]   *    host/[EMAIL PROTECTED]
site2/[EMAIL PROTECTED]   *    host/[EMAIL PROTECTED]


-Mike
PS. During my testing I noticed that kadmind segfaults if you forget toadd the ACL permissions to a line in kadm5.acl. :)
------------------------------------------------------------------------

diff -Nur krb5-1.6/src/lib/kadm5/srv/server_acl.c 
krb5-1.6.dop/src/lib/kadm5/srv/server_acl.c
--- krb5-1.6/src/lib/kadm5/srv/server_acl.c     2006-06-16 01:58:42.000000000 
-0500
+++ krb5-1.6.dop/src/lib/kadm5/srv/server_acl.c 2007-03-30 14:57:19.000000000 
-0500
@@ -543,7 +543,8 @@
 /*
  * kadm5int_acl_match_data()   - See if two data entries match.
  *
- * Wildcarding is only supported for a whole component.
+ * Wildcarding is only supported at the beginning, end, or as a
+ * whole component.
  */
 static krb5_boolean
 kadm5int_acl_match_data(e1, e2, targetflag, ws)
@@ -552,12 +553,37 @@
     wildstate_t        *ws;
 {
     krb5_boolean       retval;
+    int cmplen=0;
+    int e2offset;
+    int e1offset;
DPRINT(DEBUG_CALLS, acl_debug_level,("* acl_match_entry(%s, %s)\n", e1->data, e2->data));
     retval = 0;
-    if (!strncmp(e1->data, "*", e1->length)) {
-       retval = 1;
+
+    if(strchr(e1->data, '*')){
+        if(e1->length == 1){
+         /* whole component matches wildcard */
+           retval = 1;
+
+       }else if(e1->data[0] == '*'){
+           /* wildcard at beginning of component */
+           cmplen = e1->length - 1;
+           e2offset = e2->length - cmplen;
+           e1offset = 1;
++ }else if(e1->data[e1->length-1] == '*'){
+           /* wildcard at end of component */
+           cmplen = e1->length - 1;
+           e2offset=0;
+           e1offset=0;
+       }
+       
+       /* Compare beginning or end of e2->data depending on offsets above */
+       if((strncmp(e1->data+e1offset, e2->data+e2offset, cmplen) == 0) && (e2offset >= 
0) && (cmplen != 0)){
+           retval = 1;
+       }
+       
        if (ws && !targetflag) {
            if (ws->nwild >= 9) {
                DPRINT(DEBUG_ACL, acl_debug_level,


------------------------------------------------------------------------

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

diff -Nur krb5-1.6/src/lib/kadm5/srv/server_acl.c 
krb5-1.6.dop/src/lib/kadm5/srv/server_acl.c
--- krb5-1.6/src/lib/kadm5/srv/server_acl.c     2006-06-16 01:58:42.000000000 
-0500
+++ krb5-1.6.dop/src/lib/kadm5/srv/server_acl.c 2007-03-30 16:29:24.000000000 
-0500
@@ -543,7 +543,8 @@
 /*
  * kadm5int_acl_match_data()   - See if two data entries match.
  *
- * Wildcarding is only supported for a whole component.
+ * Wildcarding is only supported at the beginning, end, or as a
+ * whole component.
  */
 static krb5_boolean
 kadm5int_acl_match_data(e1, e2, targetflag, ws)
@@ -552,12 +553,41 @@
     wildstate_t        *ws;
 {
     krb5_boolean       retval;
+    int cmplen=0;
+    int e2offset;
+    int e1offset;
 
     DPRINT(DEBUG_CALLS, acl_debug_level, 
           ("* acl_match_entry(%s, %s)\n", e1->data, e2->data));
     retval = 0;
-    if (!strncmp(e1->data, "*", e1->length)) {
-       retval = 1;
+
+    if(strchr(e1->data, '*')){
+        if(e1->length == 1){
+         /* whole component matches wildcard */
+           retval = 1;
+
+       }else if(e1->data[0] == '*'){
+           /* wildcard at beginning of component */
+           cmplen = e1->length - 1;
+           e2offset = e2->length - cmplen;
+           e1offset = 1;
+         
+       }else if(e1->data[e1->length-1] == '*'){
+           /* wildcard at end of component */
+           cmplen = e1->length - 1;
+           if(e2->length < cmplen){
+               e2offset = -1;
+           }else{
+               e2offset=0;
+               e1offset=0;
+           }
+       }
+       
+       /* Compare beginning or end of e2->data depending on offsets above */
+       if((strncmp(e1->data+e1offset, e2->data+e2offset, cmplen) == 0) && 
(e2offset >= 0) && (cmplen != 0)){
+           retval = 1;
+       }
+       
        if (ws && !targetflag) {
            if (ws->nwild >= 9) {
                DPRINT(DEBUG_ACL, acl_debug_level,

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: slightly expanded wildcard support for kadm5.acl

Reply via email to