|
Packit |
fd8b60 |
.. _kadm5.acl(5):
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
kadm5.acl
|
|
Packit |
fd8b60 |
=========
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
DESCRIPTION
|
|
Packit |
fd8b60 |
-----------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The Kerberos :ref:`kadmind(8)` daemon uses an Access Control List
|
|
Packit |
fd8b60 |
(ACL) file to manage access rights to the Kerberos database.
|
|
Packit |
fd8b60 |
For operations that affect principals, the ACL file also controls
|
|
Packit |
fd8b60 |
which principals can operate on which other principals.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The default location of the Kerberos ACL file is
|
|
Packit |
fd8b60 |
|kdcdir|\ ``/kadm5.acl`` unless this is overridden by the *acl_file*
|
|
Packit |
fd8b60 |
variable in :ref:`kdc.conf(5)`.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
SYNTAX
|
|
Packit |
fd8b60 |
------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Empty lines and lines starting with the sharp sign (``#``) are
|
|
Packit |
fd8b60 |
ignored. Lines containing ACL entries have the format::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
principal permissions [target_principal [restrictions] ]
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. note::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Line order in the ACL file is important. The first matching entry
|
|
Packit |
fd8b60 |
will control access for an actor principal on a target principal.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
*principal*
|
|
Packit |
fd8b60 |
(Partially or fully qualified Kerberos principal name.) Specifies
|
|
Packit |
fd8b60 |
the principal whose permissions are to be set.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Each component of the name may be wildcarded using the ``*``
|
|
Packit |
fd8b60 |
character.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
*permissions*
|
|
Packit |
fd8b60 |
Specifies what operations may or may not be performed by a
|
|
Packit |
fd8b60 |
*principal* matching a particular entry. This is a string of one or
|
|
Packit |
fd8b60 |
more of the following list of characters or their upper-case
|
|
Packit |
fd8b60 |
counterparts. If the character is *upper-case*, then the operation
|
|
Packit |
fd8b60 |
is disallowed. If the character is *lower-case*, then the operation
|
|
Packit |
fd8b60 |
is permitted.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
== ======================================================
|
|
Packit |
fd8b60 |
a [Dis]allows the addition of principals or policies
|
|
Packit |
fd8b60 |
c [Dis]allows the changing of passwords for principals
|
|
Packit |
fd8b60 |
d [Dis]allows the deletion of principals or policies
|
|
Packit |
fd8b60 |
e [Dis]allows the extraction of principal keys
|
|
Packit |
fd8b60 |
i [Dis]allows inquiries about principals or policies
|
|
Packit |
fd8b60 |
l [Dis]allows the listing of all principals or policies
|
|
Packit |
fd8b60 |
m [Dis]allows the modification of principals or policies
|
|
Packit |
fd8b60 |
p [Dis]allows the propagation of the principal database (used in :ref:`incr_db_prop`)
|
|
Packit |
fd8b60 |
s [Dis]allows the explicit setting of the key for a principal
|
|
Packit |
fd8b60 |
x Short for admcilsp. All privileges (except ``e``)
|
|
Packit |
fd8b60 |
\* Same as x.
|
|
Packit |
fd8b60 |
== ======================================================
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. note::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The ``extract`` privilege is not included in the wildcard
|
|
Packit |
fd8b60 |
privilege; it must be explicitly assigned. This privilege
|
|
Packit |
fd8b60 |
allows the user to extract keys from the database, and must be
|
|
Packit |
fd8b60 |
handled with great care to avoid disclosure of important keys
|
|
Packit |
fd8b60 |
like those of the kadmin/* or krbtgt/* principals. The
|
|
Packit |
fd8b60 |
**lockdown_keys** principal attribute can be used to prevent
|
|
Packit |
fd8b60 |
key extraction from specific principals regardless of the
|
|
Packit |
fd8b60 |
granted privilege.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
*target_principal*
|
|
Packit |
fd8b60 |
(Optional. Partially or fully qualified Kerberos principal name.)
|
|
Packit |
fd8b60 |
Specifies the principal on which *permissions* may be applied.
|
|
Packit |
fd8b60 |
Each component of the name may be wildcarded using the ``*``
|
|
Packit |
fd8b60 |
character.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
*target_principal* can also include back-references to *principal*,
|
|
Packit |
fd8b60 |
in which ``*number`` matches the corresponding wildcard in
|
|
Packit |
fd8b60 |
*principal*.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
*restrictions*
|
|
Packit |
fd8b60 |
(Optional) A string of flags. Allowed restrictions are:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
{+\|-}\ *flagname*
|
|
Packit |
fd8b60 |
flag is forced to the indicated value. The permissible flags
|
|
Packit |
fd8b60 |
are the same as those for the **default_principal_flags**
|
|
Packit |
fd8b60 |
variable in :ref:`kdc.conf(5)`.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
*-clearpolicy*
|
|
Packit |
fd8b60 |
policy is forced to be empty.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
*-policy pol*
|
|
Packit |
fd8b60 |
policy is forced to be *pol*.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
-{*expire, pwexpire, maxlife, maxrenewlife*} *time*
|
|
Packit |
fd8b60 |
(:ref:`getdate` string) associated value will be forced to
|
|
Packit |
fd8b60 |
MIN(*time*, requested value).
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The above flags act as restrictions on any add or modify operation
|
|
Packit |
fd8b60 |
which is allowed due to that ACL line.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. warning::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
If the kadmind ACL file is modified, the kadmind daemon needs to be
|
|
Packit |
fd8b60 |
restarted for changes to take effect.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
EXAMPLE
|
|
Packit |
fd8b60 |
-------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Here is an example of a kadm5.acl file::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
*/admin@ATHENA.MIT.EDU * # line 1
|
|
Packit |
fd8b60 |
joeadmin@ATHENA.MIT.EDU ADMCIL # line 2
|
|
Packit |
fd8b60 |
joeadmin/*@ATHENA.MIT.EDU i */root@ATHENA.MIT.EDU # line 3
|
|
Packit |
fd8b60 |
*/root@ATHENA.MIT.EDU ci *1@ATHENA.MIT.EDU # line 4
|
|
Packit |
fd8b60 |
*/root@ATHENA.MIT.EDU l * # line 5
|
|
Packit |
fd8b60 |
sms@ATHENA.MIT.EDU x * -maxlife 9h -postdateable # line 6
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
(line 1) Any principal in the ``ATHENA.MIT.EDU`` realm with an
|
|
Packit |
fd8b60 |
``admin`` instance has all administrative privileges except extracting
|
|
Packit |
fd8b60 |
keys.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
(lines 1-3) The user ``joeadmin`` has all permissions except
|
|
Packit |
fd8b60 |
extracting keys with his ``admin`` instance,
|
|
Packit |
fd8b60 |
``joeadmin/admin@ATHENA.MIT.EDU`` (matches line 1). He has no
|
|
Packit |
fd8b60 |
permissions at all with his null instance, ``joeadmin@ATHENA.MIT.EDU``
|
|
Packit |
fd8b60 |
(matches line 2). His ``root`` and other non-``admin``, non-null
|
|
Packit |
fd8b60 |
instances (e.g., ``extra`` or ``dbadmin``) have inquire permissions
|
|
Packit |
fd8b60 |
with any principal that has the instance ``root`` (matches line 3).
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
(line 4) Any ``root`` principal in ``ATHENA.MIT.EDU`` can inquire
|
|
Packit |
fd8b60 |
or change the password of their null instance, but not any other
|
|
Packit |
fd8b60 |
null instance. (Here, ``*1`` denotes a back-reference to the
|
|
Packit |
fd8b60 |
component matching the first wildcard in the actor principal.)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
(line 5) Any ``root`` principal in ``ATHENA.MIT.EDU`` can generate
|
|
Packit |
fd8b60 |
the list of principals in the database, and the list of policies
|
|
Packit |
fd8b60 |
in the database. This line is separate from line 4, because list
|
|
Packit |
fd8b60 |
permission can only be granted globally, not to specific target
|
|
Packit |
fd8b60 |
principals.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
(line 6) Finally, the Service Management System principal
|
|
Packit |
fd8b60 |
``sms@ATHENA.MIT.EDU`` has all permissions except extracting keys, but
|
|
Packit |
fd8b60 |
any principal that it creates or modifies will not be able to get
|
|
Packit |
fd8b60 |
postdateable tickets or tickets with a life of longer than 9 hours.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
MODULE BEHAVIOR
|
|
Packit |
fd8b60 |
---------------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The ACL file can coexist with other authorization modules in release
|
|
Packit |
fd8b60 |
1.16 and later, as configured in the :ref:`kadm5_auth` section of
|
|
Packit |
fd8b60 |
:ref:`krb5.conf(5)`. The ACL file will positively authorize
|
|
Packit |
fd8b60 |
operations according to the rules above, but will never
|
|
Packit |
fd8b60 |
authoritatively deny an operation, so other modules can authorize
|
|
Packit |
fd8b60 |
operations in addition to those authorized by the ACL file.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
To operate without an ACL file, set the *acl_file* variable in
|
|
Packit |
fd8b60 |
:ref:`kdc.conf(5)` to the empty string with ``acl_file = ""``.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
SEE ALSO
|
|
Packit |
fd8b60 |
--------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
:ref:`kdc.conf(5)`, :ref:`kadmind(8)`
|