Access controls for string RPCs [CVE-2012-1012]

In the kadmin protocol, make the access controls for get_strings/set_string mirror those of get_principal/modify_principal. Previously, anyone with global list privileges could get or modify string attributes on any principal. The impact of this depends on how generous the kadmind acl is with list permission and whether string attributes are used in a deployment (nothing in the core code uses them yet). CVSSv2 vector: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:H/RL:O/RC:C ticket: 7093 target_version: 1.10.1 tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25704 dc483132-0cff-0310-8789-dd5450dbe970
author: Greg Hudson <ghudson@mit.edu> 2012-02-21 19:14:47 +0000
committer: Greg Hudson <ghudson@mit.edu> 2012-02-21 19:14:47 +0000
commit: e31c182a5ddbdf21490d18fe308a50d82a7d7453 (patch)
tree: 2af234759c88b9c0d255b08efe2682d5c34faa02 /src/kadmin
parent: 7558fb3af9f9fdfb8195333c11a70ab7b354f82c (diff)
download: krb5-e31c182a5ddbdf21490d18fe308a50d82a7d7453.tar.gz
krb5-e31c182a5ddbdf21490d18fe308a50d82a7d7453.tar.xz
krb5-e31c182a5ddbdf21490d18fe308a50d82a7d7453.zip
1 files changed, 11 insertions, 8 deletions
diff --git a/src/kadmin/server/server_stubs.c b/src/kadmin/server/server_stubs.c
index 8dbe756d6..0de627f47 100644
--- a/src/kadmin/server/server_stubs.c
+++ b/src/kadmin/server/server_stubs.c
@@ -1634,10 +1634,13 @@ get_strings_2_svc(gstrings_arg *arg, struct svc_req *rqstp)
         goto exit_func;
     }
 
-    if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
-                                                       rqst2name(rqstp),
-                                                       ACL_LIST, NULL, NULL)) {
-        ret.code = KADM5_AUTH_LIST;
+    if (! cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ) &&
+        (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
+                                                        rqst2name(rqstp),
+                                                        ACL_INQUIRE,
+                                                        arg->princ,
+                                                        NULL))) {
+        ret.code = KADM5_AUTH_GET;
         log_unauth("kadm5_get_strings", prime_arg,
                    &client_name, &service_name, rqstp);
     } else {
@@ -1690,10 +1693,10 @@ set_string_2_svc(sstring_arg *arg, struct svc_req *rqstp)
         goto exit_func;
     }
 
-    if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
-                                                       rqst2name(rqstp),
-                                                       ACL_LIST, NULL, NULL)) {
-        ret.code = KADM5_AUTH_LIST;
+    if (CHANGEPW_SERVICE(rqstp)
+        || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_MODIFY,
+                               arg->princ, NULL)) {
+        ret.code = KADM5_AUTH_MODIFY;
         log_unauth("kadm5_mod_strings", prime_arg,
                    &client_name, &service_name, rqstp);
     } else {
author	Greg Hudson <ghudson@mit.edu>	2012-02-21 19:14:47 +0000
committer	Greg Hudson <ghudson@mit.edu>	2012-02-21 19:14:47 +0000
commit	e31c182a5ddbdf21490d18fe308a50d82a7d7453 (patch)
tree	2af234759c88b9c0d255b08efe2682d5c34faa02 /src/kadmin
parent	7558fb3af9f9fdfb8195333c11a70ab7b354f82c (diff)
download	krb5-e31c182a5ddbdf21490d18fe308a50d82a7d7453.tar.gz krb5-e31c182a5ddbdf21490d18fe308a50d82a7d7453.tar.xz krb5-e31c182a5ddbdf21490d18fe308a50d82a7d7453.zip