As is typical, attached is the correct version of the patch with one
less bug. Sorry about that.
-Mike
Mike Dopheide wrote:
Attached is a patch to add wildcard support at the beginning and end of
kadm5.acl components. I'd love to see this or something like it get
added to the standard codebase. We haven't used this in the field yet,
I wanted to get people's opinions first. I may not have considered all
of the implications (please let me know if I'm missing something bad).
We've run into a couple situations here where it would be really handy
to have this.
Example 1:
Temporary guest accounts on a system that doesn't support instances.
This resulted in something similar to guest[001-100] prinicpals and a
hundred kadm5.acl entries so the event coordinator could reset
passwords. This is much more concise:
guest/[EMAIL PROTECTED] cmi [EMAIL PROTECTED]
Example 2:
Multiple site admins using a central Kerberos realm. In this case you
can give each site admin control to create/edit host keys in their own
subdomain.
site1/[EMAIL PROTECTED] * host/[EMAIL PROTECTED]
site2/[EMAIL PROTECTED] * host/[EMAIL PROTECTED]
-Mike
PS. During my testing I noticed that kadmind segfaults if you forget to
add the ACL permissions to a line in kadm5.acl. :)
------------------------------------------------------------------------
diff -Nur krb5-1.6/src/lib/kadm5/srv/server_acl.c
krb5-1.6.dop/src/lib/kadm5/srv/server_acl.c
--- krb5-1.6/src/lib/kadm5/srv/server_acl.c 2006-06-16 01:58:42.000000000
-0500
+++ krb5-1.6.dop/src/lib/kadm5/srv/server_acl.c 2007-03-30 14:57:19.000000000
-0500
@@ -543,7 +543,8 @@
/*
* kadm5int_acl_match_data() - See if two data entries match.
*
- * Wildcarding is only supported for a whole component.
+ * Wildcarding is only supported at the beginning, end, or as a
+ * whole component.
*/
static krb5_boolean
kadm5int_acl_match_data(e1, e2, targetflag, ws)
@@ -552,12 +553,37 @@
wildstate_t *ws;
{
krb5_boolean retval;
+ int cmplen=0;
+ int e2offset;
+ int e1offset;
DPRINT(DEBUG_CALLS, acl_debug_level,
("* acl_match_entry(%s, %s)\n", e1->data, e2->data));
retval = 0;
- if (!strncmp(e1->data, "*", e1->length)) {
- retval = 1;
+
+ if(strchr(e1->data, '*')){
+ if(e1->length == 1){
+ /* whole component matches wildcard */
+ retval = 1;
+
+ }else if(e1->data[0] == '*'){
+ /* wildcard at beginning of component */
+ cmplen = e1->length - 1;
+ e2offset = e2->length - cmplen;
+ e1offset = 1;
+
+ }else if(e1->data[e1->length-1] == '*'){
+ /* wildcard at end of component */
+ cmplen = e1->length - 1;
+ e2offset=0;
+ e1offset=0;
+ }
+
+ /* Compare beginning or end of e2->data depending on offsets above */
+ if((strncmp(e1->data+e1offset, e2->data+e2offset, cmplen) == 0) && (e2offset >=
0) && (cmplen != 0)){
+ retval = 1;
+ }
+
if (ws && !targetflag) {
if (ws->nwild >= 9) {
DPRINT(DEBUG_ACL, acl_debug_level,
------------------------------------------------------------------------
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
diff -Nur krb5-1.6/src/lib/kadm5/srv/server_acl.c
krb5-1.6.dop/src/lib/kadm5/srv/server_acl.c
--- krb5-1.6/src/lib/kadm5/srv/server_acl.c 2006-06-16 01:58:42.000000000
-0500
+++ krb5-1.6.dop/src/lib/kadm5/srv/server_acl.c 2007-03-30 16:29:24.000000000
-0500
@@ -543,7 +543,8 @@
/*
* kadm5int_acl_match_data() - See if two data entries match.
*
- * Wildcarding is only supported for a whole component.
+ * Wildcarding is only supported at the beginning, end, or as a
+ * whole component.
*/
static krb5_boolean
kadm5int_acl_match_data(e1, e2, targetflag, ws)
@@ -552,12 +553,41 @@
wildstate_t *ws;
{
krb5_boolean retval;
+ int cmplen=0;
+ int e2offset;
+ int e1offset;
DPRINT(DEBUG_CALLS, acl_debug_level,
("* acl_match_entry(%s, %s)\n", e1->data, e2->data));
retval = 0;
- if (!strncmp(e1->data, "*", e1->length)) {
- retval = 1;
+
+ if(strchr(e1->data, '*')){
+ if(e1->length == 1){
+ /* whole component matches wildcard */
+ retval = 1;
+
+ }else if(e1->data[0] == '*'){
+ /* wildcard at beginning of component */
+ cmplen = e1->length - 1;
+ e2offset = e2->length - cmplen;
+ e1offset = 1;
+
+ }else if(e1->data[e1->length-1] == '*'){
+ /* wildcard at end of component */
+ cmplen = e1->length - 1;
+ if(e2->length < cmplen){
+ e2offset = -1;
+ }else{
+ e2offset=0;
+ e1offset=0;
+ }
+ }
+
+ /* Compare beginning or end of e2->data depending on offsets above */
+ if((strncmp(e1->data+e1offset, e2->data+e2offset, cmplen) == 0) &&
(e2offset >= 0) && (cmplen != 0)){
+ retval = 1;
+ }
+
if (ws && !targetflag) {
if (ws->nwild >= 9) {
DPRINT(DEBUG_ACL, acl_debug_level,
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos