diff options
Diffstat (limited to 'src/lib/kadm5')
| -rw-r--r-- | src/lib/kadm5/chpass_util.c | 8 | ||||
| -rw-r--r-- | src/lib/kadm5/deps | 14 | ||||
| -rw-r--r-- | src/lib/kadm5/kadm_err.et | 1 | ||||
| -rw-r--r-- | src/lib/kadm5/srv/Makefile.in | 20 | ||||
| -rw-r--r-- | src/lib/kadm5/srv/deps | 21 | ||||
| -rw-r--r-- | src/lib/kadm5/srv/libkadm5srv_mit.exports | 5 | ||||
| -rw-r--r-- | src/lib/kadm5/srv/server_acl.c | 823 | ||||
| -rw-r--r-- | src/lib/kadm5/srv/server_acl.h | 100 | ||||
| -rw-r--r-- | src/lib/kadm5/srv/server_kdb.c | 2 | ||||
| -rw-r--r-- | src/lib/kadm5/srv/server_misc.c | 14 | ||||
| -rw-r--r-- | src/lib/kadm5/srv/svr_principal.c | 88 | ||||
| -rw-r--r-- | src/lib/kadm5/unit-test/setkey-test.c | 3 |
12 files changed, 51 insertions, 1048 deletions
diff --git a/src/lib/kadm5/chpass_util.c b/src/lib/kadm5/chpass_util.c index 408b0eb31fac..1680a5504922 100644 --- a/src/lib/kadm5/chpass_util.c +++ b/src/lib/kadm5/chpass_util.c @@ -4,15 +4,11 @@ */ -#include "autoconf.h" -#include <stdio.h> -#include <time.h> -#include <string.h> +#include "k5-int.h" #include <kadm5/admin.h> #include "admin_internal.h" -#include <krb5.h> #define string_text error_message @@ -218,7 +214,7 @@ kadm5_ret_t _kadm5_chpass_principal_util(void *server_handle, time_t until; char *time_string, *ptr; - until = princ_ent.last_pwd_change + policy_ent.pw_min_life; + until = ts_incr(princ_ent.last_pwd_change, policy_ent.pw_min_life); time_string = ctime(&until); if (*(ptr = &time_string[strlen(time_string)-1]) == '\n') diff --git a/src/lib/kadm5/deps b/src/lib/kadm5/deps index c9f0cbfdb7e2..3585f08f6442 100644 --- a/src/lib/kadm5/deps +++ b/src/lib/kadm5/deps @@ -42,13 +42,21 @@ chpass_util.so chpass_util.po $(OUTPRE)chpass_util.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \ $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \ $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_err.h \ - $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/gssrpc/auth.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/gssrpc/auth.h \ $(top_srcdir)/include/gssrpc/auth_gss.h $(top_srcdir)/include/gssrpc/auth_unix.h \ $(top_srcdir)/include/gssrpc/clnt.h $(top_srcdir)/include/gssrpc/rename.h \ $(top_srcdir)/include/gssrpc/rpc.h $(top_srcdir)/include/gssrpc/rpc_msg.h \ $(top_srcdir)/include/gssrpc/svc.h $(top_srcdir)/include/gssrpc/svc_auth.h \ - $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/kdb.h \ - $(top_srcdir)/include/krb5.h admin_internal.h chpass_util.c + $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/k5-buf.h \ + $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ + $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ + $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ + $(top_srcdir)/include/kdb.h $(top_srcdir)/include/krb5.h \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ + admin_internal.h chpass_util.c alt_prof.so alt_prof.po $(OUTPRE)alt_prof.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \ $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \ diff --git a/src/lib/kadm5/kadm_err.et b/src/lib/kadm5/kadm_err.et index 71b053460117..892a6fac1053 100644 --- a/src/lib/kadm5/kadm_err.et +++ b/src/lib/kadm5/kadm_err.et @@ -66,4 +66,5 @@ error_code KADM5_BAD_KEYSALTS, "Invalid key/salt tuples" error_code KADM5_SETKEY_BAD_KVNO, "Invalid multiple or duplicate kvnos in setkey operation" error_code KADM5_AUTH_EXTRACT, "Operation requires ``extract-keys'' privilege" error_code KADM5_PROTECT_KEYS, "Principal keys are locked down" +error_code KADM5_AUTH_INITIAL, "Operation requires initial ticket" end diff --git a/src/lib/kadm5/srv/Makefile.in b/src/lib/kadm5/srv/Makefile.in index f4b5b5b6a06d..617d6566665f 100644 --- a/src/lib/kadm5/srv/Makefile.in +++ b/src/lib/kadm5/srv/Makefile.in @@ -32,7 +32,6 @@ SRCS = $(srcdir)/pwqual.c \ $(srcdir)/pwqual_princ.c \ $(srcdir)/svr_policy.c \ $(srcdir)/svr_principal.c \ - $(srcdir)/server_acl.c \ $(srcdir)/server_kdb.c \ $(srcdir)/server_misc.c \ $(srcdir)/server_init.c \ @@ -48,7 +47,6 @@ OBJS = pwqual.$(OBJEXT) \ kadm5_hook.$(OBJEXT) \ svr_policy.$(OBJEXT) \ svr_principal.$(OBJEXT) \ - server_acl.$(OBJEXT) \ server_kdb.$(OBJEXT) \ server_misc.$(OBJEXT) \ server_init.$(OBJEXT) \ @@ -65,7 +63,6 @@ STLIBOBJS = \ kadm5_hook.o \ svr_policy.o \ svr_principal.o \ - server_acl.o \ server_kdb.o \ server_misc.o \ server_init.o \ @@ -73,23 +70,10 @@ STLIBOBJS = \ svr_chpass_util.o \ adb_xdr.o -all-unix: includes all-unix: all-liblinks all-windows: $(OBJS) -generate-files-mac: includes darwin.exports - -includes: server_acl.h - if cmp $(srcdir)/server_acl.h \ - $(BUILDTOP)/include/kadm5/server_acl.h >/dev/null 2>&1; then :; \ - else \ - (set -x; $(RM) $(BUILDTOP)/include/kadm5/server_acl.h; \ - $(CP) $(srcdir)/server_acl.h \ - $(BUILDTOP)/include/kadm5/server_acl.h) ; \ - fi - -clean-unix:: - $(RM) $(BUILDTOP)/include/kadm5/server_acl.h +generate-files-mac: darwin.exports check-windows: @@ -104,8 +88,6 @@ install-unix: (cd $(DESTDIR)$(KRB5_LIBDIR) && $(LN_S) lib$(LIBBASE)$(DEPLIBEXT) \ libkadm5srv$(DEPLIBEXT)) -depend: includes - @lib_frag@ @libobj_frag@ diff --git a/src/lib/kadm5/srv/deps b/src/lib/kadm5/srv/deps index 20df4e9b8205..01080d56053e 100644 --- a/src/lib/kadm5/srv/deps +++ b/src/lib/kadm5/srv/deps @@ -150,27 +150,6 @@ svr_principal.so svr_principal.po $(OUTPRE)svr_principal.$(OBJEXT): \ $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/kadm5_hook_plugin.h \ $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ $(top_srcdir)/include/socket-utils.h svr_principal.c -server_acl.so server_acl.po $(OUTPRE)server_acl.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \ - $(BUILDTOP)/include/gssapi/gssapi_generic.h $(BUILDTOP)/include/gssrpc/types.h \ - $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/admin_internal.h \ - $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_err.h \ - $(BUILDTOP)/include/kadm5/server_internal.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(top_srcdir)/include/adm_proto.h $(top_srcdir)/include/gssrpc/auth.h \ - $(top_srcdir)/include/gssrpc/auth_gss.h $(top_srcdir)/include/gssrpc/auth_unix.h \ - $(top_srcdir)/include/gssrpc/clnt.h $(top_srcdir)/include/gssrpc/rename.h \ - $(top_srcdir)/include/gssrpc/rpc.h $(top_srcdir)/include/gssrpc/rpc_msg.h \ - $(top_srcdir)/include/gssrpc/svc.h $(top_srcdir)/include/gssrpc/svc_auth.h \ - $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/k5-buf.h \ - $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ - $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ - $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ - $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ - $(top_srcdir)/include/kdb.h $(top_srcdir)/include/krb5.h \ - $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - server_acl.c server_acl.h server_kdb.so server_kdb.po $(OUTPRE)server_kdb.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \ $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \ diff --git a/src/lib/kadm5/srv/libkadm5srv_mit.exports b/src/lib/kadm5/srv/libkadm5srv_mit.exports index aedfdd7f5813..804eba16abb8 100644 --- a/src/lib/kadm5/srv/libkadm5srv_mit.exports +++ b/src/lib/kadm5/srv/libkadm5srv_mit.exports @@ -1,10 +1,5 @@ _kadm5_check_handle _kadm5_chpass_principal_util -kadm5int_acl_check -kadm5int_acl_check_krb -kadm5int_acl_finish -kadm5int_acl_impose_restrictions -kadm5int_acl_init hist_princ kadm5_set_use_password_server kadm5_chpass_principal diff --git a/src/lib/kadm5/srv/server_acl.c b/src/lib/kadm5/srv/server_acl.c deleted file mode 100644 index 59ed0b975472..000000000000 --- a/src/lib/kadm5/srv/server_acl.c +++ /dev/null @@ -1,823 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* lib/kadm5/srv/server_acl.c */ -/* - * Copyright 1995-2004, 2007, 2008 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include "k5-int.h" -#include <syslog.h> -#include <sys/param.h> -#include <gssapi/gssapi_generic.h> -#include <kadm5/server_internal.h> -#include <kadm5/admin.h> -#include "adm_proto.h" -#include "server_acl.h" -#include <ctype.h> - -typedef struct _acl_op_table { - char ao_op; - krb5_int32 ao_mask; -} aop_t; - -typedef struct _acl_entry { - struct _acl_entry *ae_next; - char *ae_name; - krb5_boolean ae_name_bad; - krb5_principal ae_principal; - krb5_int32 ae_op_allowed; - char *ae_target; - krb5_boolean ae_target_bad; - krb5_principal ae_target_princ; - char *ae_restriction_string; - /* eg: "-maxlife 3h -service +proxiable" */ - krb5_boolean ae_restriction_bad; - restriction_t *ae_restrictions; -} aent_t; - -static const aop_t acl_op_table[] = { - { 'a', ACL_ADD }, - { 'd', ACL_DELETE }, - { 'm', ACL_MODIFY }, - { 'c', ACL_CHANGEPW }, - { 'i', ACL_INQUIRE }, - { 'l', ACL_LIST }, - { 'p', ACL_IPROP }, - { 's', ACL_SETKEY }, - { 'x', ACL_ALL_MASK }, - { '*', ACL_ALL_MASK }, - { 'e', ACL_EXTRACT }, - { '\0', 0 } -}; - -typedef struct _wildstate { - int nwild; - const krb5_data *backref[9]; -} wildstate_t; - -static aent_t *acl_list_head = (aent_t *) NULL; -static aent_t *acl_list_tail = (aent_t *) NULL; - -static const char *acl_acl_file = (char *) NULL; -static int acl_inited = 0; -static int acl_debug_level = 0; -/* - * This is the catchall entry. If nothing else appropriate is found, or in - * the case where the ACL file is not present, this entry controls what can - * be done. - */ -static const char *acl_catchall_entry = NULL; - -static const char *acl_line2long_msg = N_("%s: line %d too long, truncated"); -static const char *acl_op_bad_msg = N_("Unrecognized ACL operation '%c' in " - "%s"); -static const char *acl_syn_err_msg = N_("%s: syntax error at line %d " - "<%10s...>"); -static const char *acl_cantopen_msg = N_("%s while opening ACL file %s"); - -/* - * kadm5int_acl_get_line() - Get a line from the ACL file. - * Lines ending with \ are continued on the next line - */ -static char * -kadm5int_acl_get_line(fp, lnp) - FILE *fp; - int *lnp; /* caller should set to 1 before first call */ -{ - int i, domore; - static int line_incr = 0; - static char acl_buf[BUFSIZ]; - - *lnp += line_incr; - line_incr = 0; - for (domore = 1; domore && !feof(fp); ) { - /* Copy in the line, with continuations */ - for (i = 0; ((i < BUFSIZ) && !feof(fp)); i++) { - int byte; - byte = fgetc(fp); - acl_buf[i] = byte; - if (byte == EOF) { - if (i > 0 && acl_buf[i-1] == '\\') - i--; - break; /* it gets nulled-out below */ - } - else if (acl_buf[i] == '\n') { - if (i == 0 || acl_buf[i-1] != '\\') - break; /* empty line or normal end of line */ - else { - i -= 2; /* back up over "\\\n" and continue */ - line_incr++; - } - } - } - /* Check if we exceeded our buffer size */ - if (i == sizeof acl_buf && (i--, !feof(fp))) { - int c1 = acl_buf[i], c2; - - krb5_klog_syslog(LOG_ERR, _(acl_line2long_msg), acl_acl_file, - *lnp); - while ((c2 = fgetc(fp)) != EOF) { - if (c2 == '\n') { - if (c1 != '\\') - break; - line_incr++; - } - c1 = c2; - } - } - acl_buf[i] = '\0'; - if (acl_buf[0] == (char) EOF) /* ptooey */ - acl_buf[0] = '\0'; - else - line_incr++; - if ((acl_buf[0] != '#') && (acl_buf[0] != '\0')) - domore = 0; - } - if (domore || (strlen(acl_buf) == 0)) - return((char *) NULL); - else - return(acl_buf); -} - -/* - * kadm5int_acl_parse_line() - Parse the contents of an ACL line. - */ -static aent_t * -kadm5int_acl_parse_line(lp) - const char *lp; -{ - static char acle_principal[BUFSIZ]; - static char acle_ops[BUFSIZ]; - static char acle_object[BUFSIZ]; - static char acle_restrictions[BUFSIZ]; - aent_t *acle; - char *op; - int t, found, opok, nmatch; - - DPRINT(DEBUG_CALLS, acl_debug_level, - ("* kadm5int_acl_parse_line(line=%20s)\n", lp)); - /* - * Format is still simple: - * entry ::= [<whitespace>] <principal> <whitespace> <opstring> - * [<whitespace> <target> [<whitespace> <restrictions> - * [<whitespace>]]] - */ - acle = (aent_t *) NULL; - acle_object[0] = '\0'; - nmatch = sscanf(lp, "%s %s %s %[^\n]", acle_principal, acle_ops, - acle_object, acle_restrictions); - if (nmatch >= 2) { - acle = (aent_t *) malloc(sizeof(aent_t)); - if (acle) { - acle->ae_next = (aent_t *) NULL; - acle->ae_op_allowed = (krb5_int32) 0; - acle->ae_target = - (nmatch >= 3) ? strdup(acle_object) : (char *) NULL; - acle->ae_target_bad = 0; - acle->ae_target_princ = (krb5_principal) NULL; - opok = 1; - for (op=acle_ops; *op; op++) { - char rop; - - rop = (isupper((unsigned char) *op)) ? tolower((unsigned char) *op) : *op; - found = 0; - for (t=0; acl_op_table[t].ao_op; t++) { - if (rop == acl_op_table[t].ao_op) { - found = 1; - if (rop == *op) - acle->ae_op_allowed |= acl_op_table[t].ao_mask; - else - acle->ae_op_allowed &= ~acl_op_table[t].ao_mask; - } - } - if (!found) { - krb5_klog_syslog(LOG_ERR, _(acl_op_bad_msg), *op, lp); - opok = 0; - } - } - if (opok) { - acle->ae_name = strdup(acle_principal); - if (acle->ae_name) { - acle->ae_principal = (krb5_principal) NULL; - acle->ae_name_bad = 0; - DPRINT(DEBUG_ACL, acl_debug_level, - ("A ACL entry %s -> opmask %x\n", - acle->ae_name, acle->ae_op_allowed)); - } - else { - if (acle->ae_target) - free(acle->ae_target); - free(acle); - acle = (aent_t *) NULL; - } - } - else { - if (acle->ae_target) - free(acle->ae_target); - free(acle); - acle = (aent_t *) NULL; - } - - if (acle) { - if ( nmatch >= 4 ) { - char *trailing; - - trailing = &acle_restrictions[strlen(acle_restrictions)-1]; - while ( isspace((int) *trailing) ) - trailing--; - trailing[1] = '\0'; - acle->ae_restriction_string = - strdup(acle_restrictions); - } - else { - acle->ae_restriction_string = (char *) NULL; - } - acle->ae_restriction_bad = 0; - acle->ae_restrictions = (restriction_t *) NULL; - } - } - } - DPRINT(DEBUG_CALLS, acl_debug_level, - ("X kadm5int_acl_parse_line() = %x\n", (long) acle)); - return(acle); -} - -/* - * kadm5int_acl_parse_restrictions() - Parse optional restrictions field - * - * Allowed restrictions are: - * [+-]flagname (recognized by krb5_flagspec_to_mask) - * flag is forced to indicated value - * -clearpolicy policy is forced clear - * -policy pol policy is forced to be "pol" - * -{expire,pwexpire,maxlife,maxrenewlife} deltat - * associated value will be forced to - * MIN(deltat, requested value) - * - * Returns: 0 on success, or system errors - */ -static krb5_error_code -kadm5int_acl_parse_restrictions(s, rpp) - char *s; - restriction_t **rpp; -{ - char *sp = NULL, *tp, *ap, *save; - static const char *delims = "\t\n\f\v\r ,"; - krb5_deltat dt; - krb5_error_code code; - - DPRINT(DEBUG_CALLS, acl_debug_level, - ("* kadm5int_acl_parse_restrictions(s=%20s, rpp=0x%08x)\n", s, (long)rpp)); - - *rpp = (restriction_t *) NULL; - code = 0; - if (s) { - if (!(sp = strdup(s)) /* Don't munge the original */ - || !(*rpp = (restriction_t *) malloc(sizeof(restriction_t)))) { - code = ENOMEM; - } else { - memset(*rpp, 0, sizeof(**rpp)); - (*rpp)->forbid_attrs = ~(krb5_flags)0; - for (tp = strtok_r(sp, delims, &save); tp; - tp = strtok_r(NULL, delims, &save)) { - if (!krb5_flagspec_to_mask(tp, &(*rpp)->require_attrs, - &(*rpp)->forbid_attrs)) { - (*rpp)->mask |= KADM5_ATTRIBUTES; - } else if (!strcmp(tp, "-clearpolicy")) { - (*rpp)->mask |= KADM5_POLICY_CLR; - } else { - /* everything else needs an argument ... */ - if (!(ap = strtok_r(NULL, delims, &save))) { - code = EINVAL; - break; - } - if (!strcmp(tp, "-policy")) { - if (!((*rpp)->policy = strdup(ap))) { - code = ENOMEM; - break; - } - (*rpp)->mask |= KADM5_POLICY; - } else { - /* all other arguments must be a deltat ... */ - if (krb5_string_to_deltat(ap, &dt)) { - code = EINVAL; - break; - } - if (!strcmp(tp, "-expire")) { - (*rpp)->princ_lifetime = dt; - (*rpp)->mask |= KADM5_PRINC_EXPIRE_TIME; - } else if (!strcmp(tp, "-pwexpire")) { - (*rpp)->pw_lifetime = dt; - (*rpp)->mask |= KADM5_PW_EXPIRATION; - } else if (!strcmp(tp, "-maxlife")) { - (*rpp)->max_life = dt; - (*rpp)->mask |= KADM5_MAX_LIFE; - } else if (!strcmp(tp, "-maxrenewlife")) { - (*rpp)->max_renewable_life = dt; - (*rpp)->mask |= KADM5_MAX_RLIFE; - } else { - code = EINVAL; - break; - } - } - } - } - if (code) { - krb5_klog_syslog(LOG_ERR, _("%s: invalid restrictions: %s"), - acl_acl_file, s); - } - } - } - if (sp) - free(sp); - if (*rpp && code) { - if ((*rpp)->policy) - free((*rpp)->policy); - free(*rpp); - *rpp = (restriction_t *) NULL; - } - DPRINT(DEBUG_CALLS, acl_debug_level, - ("X kadm5int_acl_parse_restrictions() = %d, mask=0x%08x\n", - code, (*rpp) ? (*rpp)->mask : 0)); - return code; -} - -/* - * kadm5int_acl_impose_restrictions() - impose restrictions, modifying *recp, *maskp - * - * Returns: 0 on success; - * malloc or timeofday errors - */ -krb5_error_code -kadm5int_acl_impose_restrictions(kcontext, recp, maskp, rp) - krb5_context kcontext; - kadm5_principal_ent_rec *recp; - long *maskp; - restriction_t *rp; -{ - krb5_error_code code; - krb5_int32 now; - - DPRINT(DEBUG_CALLS, acl_debug_level, - ("* kadm5int_acl_impose_restrictions(..., *maskp=0x%08x, rp=0x%08x)\n", - *maskp, (long)rp)); - if (!rp) - return 0; - if (rp->mask & (KADM5_PRINC_EXPIRE_TIME|KADM5_PW_EXPIRATION)) - if ((code = krb5_timeofday(kcontext, &now))) - return code; - - if (rp->mask & KADM5_ATTRIBUTES) { - recp->attributes |= rp->require_attrs; - recp->attributes &= rp->forbid_attrs; - *maskp |= KADM5_ATTRIBUTES; - } - if (rp->mask & KADM5_POLICY_CLR) { - *maskp &= ~KADM5_POLICY; - *maskp |= KADM5_POLICY_CLR; - } else if (rp->mask & KADM5_POLICY) { - if (recp->policy && strcmp(recp->policy, rp->policy)) { - free(recp->policy); - recp->policy = (char *) NULL; - } - if (!recp->policy) { - recp->policy = strdup(rp->policy); /* XDR will free it */ - if (!recp->policy) - return ENOMEM; - } - *maskp |= KADM5_POLICY; - } - if (rp->mask & KADM5_PRINC_EXPIRE_TIME) { - if (!(*maskp & KADM5_PRINC_EXPIRE_TIME) - || (recp->princ_expire_time > (now + rp->princ_lifetime))) - recp->princ_expire_time = now + rp->princ_lifetime; - *maskp |= KADM5_PRINC_EXPIRE_TIME; - } - if (rp->mask & KADM5_PW_EXPIRATION) { - if (!(*maskp & KADM5_PW_EXPIRATION) - || (recp->pw_expiration > (now + rp->pw_lifetime))) - recp->pw_expiration = now + rp->pw_lifetime; - *maskp |= KADM5_PW_EXPIRATION; - } - if (rp->mask & KADM5_MAX_LIFE) { - if (!(*maskp & KADM5_MAX_LIFE) - || (recp->max_life > rp->max_life)) - recp->max_life = rp->max_life; - *maskp |= KADM5_MAX_LIFE; - } - if (rp->mask & KADM5_MAX_RLIFE) { - if (!(*maskp & KADM5_MAX_RLIFE) - || (recp->max_renewable_life > rp->max_renewable_life)) - recp->max_renewable_life = rp->max_renewable_life; - *maskp |= KADM5_MAX_RLIFE; - } - DPRINT(DEBUG_CALLS, acl_debug_level, - ("X kadm5int_acl_impose_restrictions() = 0, *maskp=0x%08x\n", *maskp)); - return 0; -} - -/* - * kadm5int_acl_free_entries() - Free all ACL entries. - */ -static void -kadm5int_acl_free_entries() -{ - aent_t *ap; - aent_t *np; - - DPRINT(DEBUG_CALLS, acl_debug_level, ("* kadm5int_acl_free_entries()\n")); - for (ap=acl_list_head; ap; ap = np) { - if (ap->ae_name) - free(ap->ae_name); - if (ap->ae_principal) - krb5_free_principal((krb5_context) NULL, ap->ae_principal); - if (ap->ae_target) - free(ap->ae_target); - if (ap->ae_target_princ) - krb5_free_principal((krb5_context) NULL, ap->ae_target_princ); - if (ap->ae_restriction_string) - free(ap->ae_restriction_string); - if (ap->ae_restrictions) { - if (ap->ae_restrictions->policy) - free(ap->ae_restrictions->policy); - free(ap->ae_restrictions); - } - np = ap->ae_next; - free(ap); - } - acl_list_head = acl_list_tail = (aent_t *) NULL; - acl_inited = 0; - DPRINT(DEBUG_CALLS, acl_debug_level, ("X kadm5int_acl_free_entries()\n")); -} - -/* - * kadm5int_acl_load_acl_file() - Open and parse the ACL file. - */ -static int -kadm5int_acl_load_acl_file() -{ - FILE *afp; - char *alinep; - aent_t **aentpp; - int alineno; - int retval = 1; - - DPRINT(DEBUG_CALLS, acl_debug_level, ("* kadm5int_acl_load_acl_file()\n")); - /* Open the ACL file for read */ - afp = fopen(acl_acl_file, "r"); - if (afp) { - set_cloexec_file(afp); - alineno = 1; - aentpp = &acl_list_head; - - /* Get a non-comment line */ - while ((alinep = kadm5int_acl_get_line(afp, &alineno))) { - /* Parse it */ - *aentpp = kadm5int_acl_parse_line(alinep); - /* If syntax error, then fall out */ - if (!*aentpp) { - krb5_klog_syslog(LOG_ERR, _(acl_syn_err_msg), - acl_acl_file, alineno, alinep); - retval = 0; - break; - } - acl_list_tail = *aentpp; - aentpp = &(*aentpp)->ae_next; - } - - fclose(afp); - - if (acl_catchall_entry) { - *aentpp = kadm5int_acl_parse_line(acl_catchall_entry); - if (*aentpp) { - acl_list_tail = *aentpp; - } - else { - retval = 0; - DPRINT(DEBUG_OPERATION, acl_debug_level, - ("> catchall acl entry (%s) load failed\n", - acl_catchall_entry)); - } - } - } - else { - krb5_klog_syslog(LOG_ERR, _(acl_cantopen_msg), - error_message(errno), acl_acl_file); - if (acl_catchall_entry && - (acl_list_head = kadm5int_acl_parse_line(acl_catchall_entry))) { - acl_list_tail = acl_list_head; - } - else { - retval = 0; - DPRINT(DEBUG_OPERATION, acl_debug_level, - ("> catchall acl entry (%s) load failed\n", - acl_catchall_entry)); - } - } - - if (!retval) { - kadm5int_acl_free_entries(); - } - DPRINT(DEBUG_CALLS, acl_debug_level, - ("X kadm5int_acl_load_acl_file() = %d\n", retval)); - return(retval); -} - -/* - * kadm5int_acl_match_data() - See if two data entries match. - * - * Wildcarding is only supported for a whole component. - */ -static krb5_boolean -kadm5int_acl_match_data(const krb5_data *e1, const krb5_data *e2, - int targetflag, wildstate_t *ws) -{ - krb5_boolean retval; - - DPRINT(DEBUG_CALLS, acl_debug_level, - ("* acl_match_entry(%s, %s)\n", e1->data, e2->data)); - retval = 0; - if (!strncmp(e1->data, "*", e1->length)) { - retval = 1; - if (ws && !targetflag) { - if (ws->nwild >= 9) { - DPRINT(DEBUG_ACL, acl_debug_level, - ("Too many wildcards in ACL entry.\n")); - } - else - ws->backref[ws->nwild++] = e2; - } - } - else if (ws && targetflag && (e1->length == 2) && (e1->data[0] == '*') && - (e1->data[1] >= '1') && (e1->data[1] <= '9')) { - int n = e1->data[1] - '1'; - if (n >= ws->nwild) { - DPRINT(DEBUG_ACL, acl_debug_level, - ("Too many backrefs in ACL entry.\n")); - } - else if ((ws->backref[n]->length == e2->length) && - (!strncmp(ws->backref[n]->data, e2->data, e2->length))) - retval = 1; - - } - else { - if ((e1->length == e2->length) && - (!strncmp(e1->data, e2->data, e1->length))) - retval = 1; - } - DPRINT(DEBUG_CALLS, acl_debug_level, ("X acl_match_entry()=%d\n",retval)); - return(retval); -} - -/* - * kadm5int_acl_find_entry() - Find a matching entry. - */ -static aent_t * -kadm5int_acl_find_entry(krb5_context kcontext, krb5_const_principal principal, - krb5_const_principal dest_princ) -{ - aent_t *entry; - krb5_error_code kret; - int i; - int matchgood; - wildstate_t state; - - DPRINT(DEBUG_CALLS, acl_debug_level, ("* kadm5int_acl_find_entry()\n")); - for (entry=acl_list_head; entry; entry = entry->ae_next) { - memset(&state, 0, sizeof(state)); - if (entry->ae_name_bad) - continue; - if (!strcmp(entry->ae_name, "*")) { - DPRINT(DEBUG_ACL, acl_debug_level, ("A wildcard ACL match\n")); - matchgood = 1; - } - else { - if (!entry->ae_principal && !entry->ae_name_bad) { - kret = krb5_parse_name(kcontext, - entry->ae_name, - &entry->ae_principal); - if (kret) - entry->ae_name_bad = 1; - } - if (entry->ae_name_bad) { - DPRINT(DEBUG_ACL, acl_debug_level, - ("Bad ACL entry %s\n", entry->ae_name)); - continue; - } - matchgood = 0; - if (kadm5int_acl_match_data(&entry->ae_principal->realm, - &principal->realm, 0, (wildstate_t *)0) && - (entry->ae_principal->length == principal->length)) { - matchgood = 1; - for (i=0; i<principal->length; i++) { - if (!kadm5int_acl_match_data(&entry->ae_principal->data[i], - &principal->data[i], 0, &state)) { - matchgood = 0; - break; - } - } - } - } - if (!matchgood) - continue; - - /* We've matched the principal. If we have a target, then try it */ - if (entry->ae_target && strcmp(entry->ae_target, "*")) { - if (!entry->ae_target_princ && !entry->ae_target_bad) { - kret = krb5_parse_name(kcontext, entry->ae_target, - &entry->ae_target_princ); - if (kret) - entry->ae_target_bad = 1; - } - if (entry->ae_target_bad) { - DPRINT(DEBUG_ACL, acl_debug_level, - ("Bad target in ACL entry for %s\n", entry->ae_name)); - entry->ae_name_bad = 1; - continue; - } - if (!dest_princ) - matchgood = 0; - else if (entry->ae_target_princ && dest_princ) { - if (kadm5int_acl_match_data(&entry->ae_target_princ->realm, - &dest_princ->realm, 1, (wildstate_t *)0) && - (entry->ae_target_princ->length == dest_princ->length)) { - for (i=0; i<dest_princ->length; i++) { - if (!kadm5int_acl_match_data(&entry->ae_target_princ->data[i], - &dest_princ->data[i], 1, &state)) { - matchgood = 0; - break; - } - } - } - else - matchgood = 0; - } - } - if (!matchgood) - continue; - - if (entry->ae_restriction_string - && !entry->ae_restriction_bad - && !entry->ae_restrictions - && kadm5int_acl_parse_restrictions(entry->ae_restriction_string, - &entry->ae_restrictions)) { - DPRINT(DEBUG_ACL, acl_debug_level, - ("Bad restrictions in ACL entry for %s\n", entry->ae_name)); - entry->ae_restriction_bad = 1; - } - if (entry->ae_restriction_bad) { - entry->ae_name_bad = 1; - continue; - } - break; - } - DPRINT(DEBUG_CALLS, acl_debug_level, ("X kadm5int_acl_find_entry()=%x\n",entry)); - return(entry); -} - -/* - * kadm5int_acl_init() - Initialize ACL context. - */ -krb5_error_code -kadm5int_acl_init(kcontext, debug_level, acl_file) - krb5_context kcontext; - int debug_level; - char *acl_file; -{ - krb5_error_code kret; - - kret = 0; - acl_debug_level = debug_level; - DPRINT(DEBUG_CALLS, acl_debug_level, - ("* kadm5int_acl_init(afile=%s)\n", - ((acl_file) ? acl_file : "(null)"))); - acl_acl_file = (acl_file) ? acl_file : (char *) KRB5_DEFAULT_ADMIN_ACL; - acl_inited = kadm5int_acl_load_acl_file(); - - DPRINT(DEBUG_CALLS, acl_debug_level, ("X kadm5int_acl_init() = %d\n", kret)); - return(kret); -} - -/* - * kadm5int_acl_finish - Terminate ACL context. - */ -void -kadm5int_acl_finish(kcontext, debug_level) - krb5_context kcontext; - int debug_level; -{ - DPRINT(DEBUG_CALLS, acl_debug_level, ("* kadm5int_acl_finish()\n")); - kadm5int_acl_free_entries(); - DPRINT(DEBUG_CALLS, acl_debug_level, ("X kadm5int_acl_finish()\n")); -} - -/* - * kadm5int_acl_check_krb() - Is this operation permitted for this principal? - */ -krb5_boolean -kadm5int_acl_check_krb(kcontext, caller_princ, opmask, principal, restrictions) - krb5_context kcontext; - krb5_const_principal caller_princ; - krb5_int32 opmask; - krb5_const_principal principal; - restriction_t **restrictions; -{ - krb5_boolean retval; - aent_t *aentry; - - DPRINT(DEBUG_CALLS, acl_debug_level, ("* acl_op_permitted()\n")); - - retval = FALSE; - - aentry = kadm5int_acl_find_entry(kcontext, caller_princ, principal); - if (aentry) { - if ((aentry->ae_op_allowed & opmask) == opmask) { - retval = TRUE; - if (restrictions) { - *restrictions = - (aentry->ae_restrictions && aentry->ae_restrictions->mask) - ? aentry->ae_restrictions - : (restriction_t *) NULL; - } - } - } - - DPRINT(DEBUG_CALLS, acl_debug_level, ("X acl_op_permitted()=%d\n", - retval)); - return retval; -} - -/* - * kadm5int_acl_check() - Is this operation permitted for this principal? - * this code used not to be based on gssapi. In order - * to minimize porting hassles, I've put all the - * gssapi hair in this function. This might not be - * the best medium-term solution. (The best long-term - * solution is, of course, a real authorization service.) - */ -krb5_boolean -kadm5int_acl_check(kcontext, caller, opmask, principal, restrictions) - krb5_context kcontext; - gss_name_t caller; - krb5_int32 opmask; - krb5_principal principal; - restriction_t **restrictions; -{ - krb5_boolean retval; - gss_buffer_desc caller_buf; - gss_OID caller_oid; - OM_uint32 emin; - krb5_error_code code; - krb5_principal caller_princ; - - if (GSS_ERROR(gss_display_name(&emin, caller, &caller_buf, &caller_oid))) - return FALSE; - - code = krb5_parse_name(kcontext, (char *) caller_buf.value, - &caller_princ); - - gss_release_buffer(&emin, &caller_buf); - - if (code != 0) - return FALSE; - - retval = kadm5int_acl_check_krb(kcontext, caller_princ, - opmask, principal, restrictions); - - krb5_free_principal(kcontext, caller_princ); - - return retval; -} - -kadm5_ret_t -kadm5_get_privs(void *server_handle, long *privs) -{ - CHECK_HANDLE(server_handle); - - /* this is impossible to do with the current interface. For now, - return all privs, which will confuse some clients, but not - deny any access to users of "smart" clients which try to cache */ - - *privs = ~0; - - return KADM5_OK; -} diff --git a/src/lib/kadm5/srv/server_acl.h b/src/lib/kadm5/srv/server_acl.h deleted file mode 100644 index d8db2f75b087..000000000000 --- a/src/lib/kadm5/srv/server_acl.h +++ /dev/null @@ -1,100 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* lib/kadm5/srv/server_acl.h */ -/* - * Copyright 1995-2004, 2007, 2008 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#ifndef SERVER_ACL_H__ -#define SERVER_ACL_H__ - -/* - * Debug definitions. - */ -#define DEBUG_SPROC 1 -#define DEBUG_OPERATION 2 -#define DEBUG_HOST 4 -#define DEBUG_REALM 8 -#define DEBUG_REQUESTS 16 -#define DEBUG_ACL 32 -#define DEBUG_PROTO 64 -#define DEBUG_CALLS 128 -#define DEBUG_NOSLAVES 256 -#ifdef DEBUG -#define DPRINT(l1, cl, al) if ((cl & l1) != 0) printf al -#else /* DEBUG */ -#define DPRINT(l1, cl, al) -#endif /* DEBUG */ - -/* - * Access control bits. - */ -#define ACL_ADD 1 -#define ACL_DELETE 2 -#define ACL_MODIFY 4 -#define ACL_CHANGEPW 8 -/* #define ACL_CHANGE_OWN_PW 16 */ -#define ACL_INQUIRE 32 -#define ACL_EXTRACT 64 -#define ACL_LIST 128 -#define ACL_SETKEY 256 -#define ACL_IPROP 512 -#define ACL_RENAME (ACL_ADD+ACL_DELETE) - -#define ACL_ALL_MASK (ACL_ADD | \ - ACL_DELETE | \ - ACL_MODIFY | \ - ACL_CHANGEPW | \ - ACL_INQUIRE | \ - ACL_LIST | \ - ACL_IPROP | \ - ACL_SETKEY) - -typedef struct _restriction { - long mask; - krb5_flags require_attrs; - krb5_flags forbid_attrs; - krb5_deltat princ_lifetime; - krb5_deltat pw_lifetime; - krb5_deltat max_life; - krb5_deltat max_renewable_life; - long aux_attributes; - char *policy; -} restriction_t; - -krb5_error_code kadm5int_acl_init(krb5_context, int, char *); -void kadm5int_acl_finish(krb5_context, int); -krb5_boolean kadm5int_acl_check(krb5_context, - gss_name_t, - krb5_int32, - krb5_principal, - restriction_t **); -krb5_boolean kadm5int_acl_check_krb(krb5_context, - krb5_const_principal, - krb5_int32, - krb5_const_principal, - restriction_t **); -krb5_error_code kadm5int_acl_impose_restrictions(krb5_context, - kadm5_principal_ent_rec *, - long *, - restriction_t *); -#endif /* SERVER_ACL_H__ */ diff --git a/src/lib/kadm5/srv/server_kdb.c b/src/lib/kadm5/srv/server_kdb.c index 612553ba3e19..f4b8aef2bde1 100644 --- a/src/lib/kadm5/srv/server_kdb.c +++ b/src/lib/kadm5/srv/server_kdb.c @@ -365,7 +365,7 @@ kdb_put_entry(kadm5_server_handle_t handle, krb5_db_entry *kdb, osa_princ_ent_rec *adb) { krb5_error_code ret; - krb5_int32 now; + krb5_timestamp now; XDR xdrs; krb5_tl_data tl_data; diff --git a/src/lib/kadm5/srv/server_misc.c b/src/lib/kadm5/srv/server_misc.c index b361847bd553..87e97c9f8a2f 100644 --- a/src/lib/kadm5/srv/server_misc.c +++ b/src/lib/kadm5/srv/server_misc.c @@ -142,3 +142,17 @@ destroy_pwqual(kadm5_server_handle_t handle) k5_pwqual_free_handles(handle->context, handle->qual_handles); handle->qual_handles = NULL; } + +kadm5_ret_t +kadm5_get_privs(void *server_handle, long *privs) +{ + CHECK_HANDLE(server_handle); + + /* this is impossible to do with the current interface. For now, + return all privs, which will confuse some clients, but not + deny any access to users of "smart" clients which try to cache */ + + *privs = ~0; + + return KADM5_OK; +} diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c index 0640b47c40d4..2420f2c2bebb 100644 --- a/src/lib/kadm5/srv/svr_principal.c +++ b/src/lib/kadm5/srv/svr_principal.c @@ -296,7 +296,7 @@ kadm5_create_principal_3(void *server_handle, osa_princ_ent_rec adb; kadm5_policy_ent_rec polent; krb5_boolean have_polent = FALSE; - krb5_int32 now; + krb5_timestamp now; krb5_tl_data *tl_data_tail; unsigned int ret; kadm5_server_handle_t handle = server_handle; @@ -400,7 +400,7 @@ kadm5_create_principal_3(void *server_handle, kdb->pw_expiration = 0; if (have_polent) { if(polent.pw_max_life) - kdb->pw_expiration = now + polent.pw_max_life; + kdb->pw_expiration = ts_incr(now, polent.pw_max_life); else kdb->pw_expiration = 0; } @@ -612,7 +612,7 @@ kadm5_modify_principal(void *server_handle, &(kdb->pw_expiration)); if (ret) goto done; - kdb->pw_expiration += pol.pw_max_life; + kdb->pw_expiration = ts_incr(kdb->pw_expiration, pol.pw_max_life); } else { kdb->pw_expiration = 0; } @@ -1322,11 +1322,11 @@ kadm5_chpass_principal_3(void *server_handle, int n_ks_tuple, krb5_key_salt_tuple *ks_tuple, char *password) { - krb5_int32 now; + krb5_timestamp now; kadm5_policy_ent_rec pol; osa_princ_ent_rec adb; krb5_db_entry *kdb; - int ret, ret2, last_pwd, hist_added; + int ret, ret2, hist_added; krb5_boolean have_pol = FALSE; kadm5_server_handle_t handle = server_handle; osa_pw_hist_ent hist; @@ -1399,24 +1399,6 @@ kadm5_chpass_principal_3(void *server_handle, if ((adb.aux_attributes & KADM5_POLICY)) { /* the policy was loaded before */ - ret = krb5_dbe_lookup_last_pwd_change(handle->context, kdb, &last_pwd); - if (ret) - goto done; - -#if 0 - /* - * The spec says this check is overridden if the caller has - * modify privilege. The admin server therefore makes this - * check itself (in chpass_principal_wrapper, misc.c). A - * local caller implicitly has all authorization bits. - */ - if ((now - last_pwd) < pol.pw_min_life && - !(kdb->attributes & KRB5_KDB_REQUIRES_PWCHANGE)) { - ret = KADM5_PASS_TOOSOON; - goto done; - } -#endif - ret = check_pw_reuse(handle->context, hist_keyblocks, kdb->n_key_data, kdb->key_data, 1, &hist); @@ -1445,7 +1427,7 @@ kadm5_chpass_principal_3(void *server_handle, } if (pol.pw_max_life) - kdb->pw_expiration = now + pol.pw_max_life; + kdb->pw_expiration = ts_incr(now, pol.pw_max_life); else kdb->pw_expiration = 0; } else { @@ -1544,9 +1526,9 @@ kadm5_randkey_principal_3(void *server_handle, { krb5_db_entry *kdb; osa_princ_ent_rec adb; - krb5_int32 now; + krb5_timestamp now; kadm5_policy_ent_rec pol; - int ret, last_pwd, n_new_keys; + int ret, n_new_keys; krb5_boolean have_pol = FALSE; kadm5_server_handle_t handle = server_handle; krb5_keyblock *act_mkey; @@ -1605,26 +1587,8 @@ kadm5_randkey_principal_3(void *server_handle, goto done; } if (have_pol) { - ret = krb5_dbe_lookup_last_pwd_change(handle->context, kdb, &last_pwd); - if (ret) - goto done; - -#if 0 - /* - * The spec says this check is overridden if the caller has - * modify privilege. The admin server therefore makes this - * check itself (in chpass_principal_wrapper, misc.c). A - * local caller implicitly has all authorization bits. - */ - if((now - last_pwd) < pol.pw_min_life && - !(kdb->attributes & KRB5_KDB_REQUIRES_PWCHANGE)) { - ret = KADM5_PASS_TOOSOON; - goto done; - } -#endif - if (pol.pw_max_life) - kdb->pw_expiration = now + pol.pw_max_life; + kdb->pw_expiration = ts_incr(now, pol.pw_max_life); else kdb->pw_expiration = 0; } else { @@ -1686,14 +1650,11 @@ kadm5_setv4key_principal(void *server_handle, { krb5_db_entry *kdb; osa_princ_ent_rec adb; - krb5_int32 now; + krb5_timestamp now; kadm5_policy_ent_rec pol; krb5_keysalt keysalt; int i, kvno, ret; krb5_boolean have_pol = FALSE; -#if 0 - int last_pwd; -#endif kadm5_server_handle_t handle = server_handle; krb5_key_data tmp_key_data; krb5_keyblock *act_mkey; @@ -1756,25 +1717,8 @@ kadm5_setv4key_principal(void *server_handle, goto done; } if (have_pol) { -#if 0 - /* - * The spec says this check is overridden if the caller has - * modify privilege. The admin server therefore makes this - * check itself (in chpass_principal_wrapper, misc.c). A - * local caller implicitly has all authorization bits. - */ - if (ret = krb5_dbe_lookup_last_pwd_change(handle->context, - kdb, &last_pwd)) - goto done; - if((now - last_pwd) < pol.pw_min_life && - !(kdb->attributes & KRB5_KDB_REQUIRES_PWCHANGE)) { - ret = KADM5_PASS_TOOSOON; - goto done; - } -#endif - if (pol.pw_max_life) - kdb->pw_expiration = now + pol.pw_max_life; + kdb->pw_expiration = ts_incr(now, pol.pw_max_life); else kdb->pw_expiration = 0; } else { @@ -1788,6 +1732,9 @@ kadm5_setv4key_principal(void *server_handle, /* unlock principal on this KDC */ kdb->fail_auth_count = 0; + /* key data changed, let the database provider know */ + kdb->mask = KADM5_KEY_DATA | KADM5_FAIL_AUTH_COUNT; + if ((ret = kdb_put_entry(handle, kdb, &adb))) goto done; @@ -1888,7 +1835,7 @@ kadm5_setkey_principal_4(void *server_handle, krb5_principal principal, { krb5_db_entry *kdb; osa_princ_ent_rec adb; - krb5_int32 now; + krb5_timestamp now; kadm5_policy_ent_rec pol; krb5_key_data *new_key_data = NULL; int i, j, ret, n_new_key_data = 0; @@ -2024,7 +1971,7 @@ kadm5_setkey_principal_4(void *server_handle, krb5_principal principal, } if (have_pol) { if (pol.pw_max_life) - kdb->pw_expiration = now + pol.pw_max_life; + kdb->pw_expiration = ts_incr(now, pol.pw_max_life); else kdb->pw_expiration = 0; } else { @@ -2038,6 +1985,9 @@ kadm5_setkey_principal_4(void *server_handle, krb5_principal principal, /* Unlock principal on this KDC. */ kdb->fail_auth_count = 0; + /* key data changed, let the database provider know */ + kdb->mask = KADM5_KEY_DATA | KADM5_FAIL_AUTH_COUNT; + ret = kdb_put_entry(handle, kdb, &adb); if (ret) goto done; diff --git a/src/lib/kadm5/unit-test/setkey-test.c b/src/lib/kadm5/unit-test/setkey-test.c index 60be9e85d5d3..0431653bff44 100644 --- a/src/lib/kadm5/unit-test/setkey-test.c +++ b/src/lib/kadm5/unit-test/setkey-test.c @@ -69,7 +69,8 @@ main(int argc, char **argv) char *whoami, *principal, *authprinc, *authpwd; krb5_data pwdata; void *handle; - int ret, i, test, encnum; + int ret, test, encnum; + unsigned int i; whoami = argv[0]; |