diff options
| author | Sam Hartman <hartmans@mit.edu> | 2002-03-03 03:05:40 +0000 |
|---|---|---|
| committer | Sam Hartman <hartmans@mit.edu> | 2002-03-03 03:05:40 +0000 |
| commit | 7ca1257c8b6a6d3fa1adc292bbc6a1fc7900f9a7 (patch) | |
| tree | 040549aaa449dd054415f15f645160513e8f37b0 /src/lib/kadm5/srv | |
| parent | 781a967c2f1a2fc2c65f4ea96cfdf549dfc971f4 (diff) | |
| download | krb5-7ca1257c8b6a6d3fa1adc292bbc6a1fc7900f9a7.tar.gz krb5-7ca1257c8b6a6d3fa1adc292bbc6a1fc7900f9a7.tar.xz krb5-7ca1257c8b6a6d3fa1adc292bbc6a1fc7900f9a7.zip | |
2002-03-02 Sam Hartman <hartmans@mit.edu>
* server_acl.c (acl_find_entry): Patch from sxw@sxw.org.uk:
patch to correct handling of ACL targets. Previous patch from
Matt Crawford seems to only work for * targets where it ignores
the restrictions. This patch seems to work for all the semantics
described in MATt's original message, at least as far as I tested.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14214 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib/kadm5/srv')
| -rw-r--r-- | src/lib/kadm5/srv/ChangeLog | 8 | ||||
| -rw-r--r-- | src/lib/kadm5/srv/server_acl.c | 48 |
2 files changed, 31 insertions, 25 deletions
diff --git a/src/lib/kadm5/srv/ChangeLog b/src/lib/kadm5/srv/ChangeLog index d9a7ee7d9..b3921ea56 100644 --- a/src/lib/kadm5/srv/ChangeLog +++ b/src/lib/kadm5/srv/ChangeLog @@ -1,3 +1,11 @@ +2002-03-02 Sam Hartman <hartmans@mit.edu> + + * server_acl.c (acl_find_entry): Patch from sxw@sxw.org.uk: + patch to correct handling of ACL targets. Previous patch from + Matt Crawford seems to only work for * targets where it ignores + the restrictions. This patch seems to work for all the semantics + described in MATt's original message, at least as far as I tested. + 2001-10-22 Tom Yu <tlyu@mit.edu> * svr_principal.c (kadm5_decrypt_key): For now, coerce enctype of diff --git a/src/lib/kadm5/srv/server_acl.c b/src/lib/kadm5/srv/server_acl.c index e114bfc86..b2ebaaa36 100644 --- a/src/lib/kadm5/srv/server_acl.c +++ b/src/lib/kadm5/srv/server_acl.c @@ -643,39 +643,37 @@ acl_find_entry(kcontext, principal, dest_princ) continue; /* We've matched the principal. If we have a target, then try it */ - if (entry->ae_target) { - if (!strcmp(entry->ae_target, "*")) - break; + if (entry->ae_target && strcmp(entry->ae_target, "*")) { if (!entry->ae_target_princ && !entry->ae_target_bad) { kret = krb5_parse_name(kcontext, entry->ae_target, &entry->ae_target_princ); if (kret) entry->ae_target_bad = 1; } - } - if (entry->ae_target_bad) { - DPRINT(DEBUG_ACL, acl_debug_level, - ("Bad target in ACL entry for %s\n", entry->ae_name)); - entry->ae_name_bad = 1; - continue; - } - if (entry->ae_target && !dest_princ) - matchgood = 0; - else if (entry->ae_target && entry->ae_target_princ && dest_princ) { - if (acl_match_data(&entry->ae_target_princ->realm, - &dest_princ->realm, 1, (wildstate_t *)0) && - (entry->ae_target_princ->length == dest_princ->length)) { - for (i=0; i<dest_princ->length; i++) { - if (!acl_match_data(&entry->ae_target_princ->data[i], - &dest_princ->data[i], 1, &state)) { - matchgood = 0; - break; + if (entry->ae_target_bad) { + DPRINT(DEBUG_ACL, acl_debug_level, + ("Bad target in ACL entry for %s\n", entry->ae_name)); + entry->ae_name_bad = 1; + continue; + } + if (!dest_princ) + matchgood = 0; + else if (entry->ae_target_princ && dest_princ) { + if (acl_match_data(&entry->ae_target_princ->realm, + &dest_princ->realm, 1, (wildstate_t *)0) && + (entry->ae_target_princ->length == dest_princ->length)) { + for (i=0; i<dest_princ->length; i++) { + if (!acl_match_data(&entry->ae_target_princ->data[i], + &dest_princ->data[i], 1, &state)) { + matchgood = 0; + break; + } } - } + } + else + matchgood = 0; } - else - matchgood = 0; - } + } if (!matchgood) continue; |