krb5: Import MIT 1.21.3 - src - FreeBSD source tree

diff options


context:
space:
mode:

author	Cy Schubert <cy@FreeBSD.org>	2025-03-19 22:12:25 +0000
committer	Cy Schubert <cy@FreeBSD.org>	2025-03-19 22:12:25 +0000
commit	8f7d3ef26dec89a92ec0665de84a5936310a5574 (patch)
tree	9a465418bd4056bf0d369751320a414eaed29fa4 /doc/html/admin/conf_files/kadm5_acl.html
parent	1a79b20663ca26acc2998b90ea2ff2aefd8af5b1 (diff)

Diffstat (limited to 'doc/html/admin/conf_files/kadm5_acl.html')

-rw-r--r--

doc/html/admin/conf_files/kadm5_acl.html

214

1 files changed, 102 insertions, 112 deletions

diff --git a/doc/html/admin/conf_files/kadm5_acl.html b/doc/html/admin/conf_files/kadm5_acl.html
index 8feac5d43fa7..611864b3c535 100644
--- a/doc/html/admin/conf_files/kadm5_acl.html
+++ b/doc/html/admin/conf_files/kadm5_acl.html

@@ -1,35 +1,26 @@

-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

- "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

+<!DOCTYPE html>

-<html xmlns="http://www.w3.org/1999/xhtml">

+<html>

<head>

- <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

+ <meta charset="utf-8" />

+ <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" />

<title>kadm5.acl — MIT Kerberos Documentation</title>

- <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" />

- <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />

- <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" />

- <script type="text/javascript">

- var DOCUMENTATION_OPTIONS = {

- URL_ROOT: '../../',

- VERSION: '1.21.2',

- COLLAPSE_INDEX: false,

- FILE_SUFFIX: '.html',

- HAS_SOURCE: true,

- SOURCELINK_SUFFIX: '.txt'

- };

- </script>

- <script type="text/javascript" src="../../_static/jquery.js"></script>

- <script type="text/javascript" src="../../_static/underscore.js"></script>

- <script type="text/javascript" src="../../_static/doctools.js"></script>

+ <link rel="stylesheet" type="text/css" href="../../_static/pygments.css" />

+ <link rel="stylesheet" type="text/css" href="../../_static/agogo.css" />

+ <link rel="stylesheet" type="text/css" href="../../_static/kerb.css" />

+ <script data-url_root="../../" id="documentation_options" src="../../_static/documentation_options.js"></script>

+ <script src="../../_static/jquery.js"></script>

+ <script src="../../_static/underscore.js"></script>

+ <script src="../../_static/doctools.js"></script>

- </head>

- <body>

+ </head><body>

@@ -61,90 +52,88 @@

- <div class="section" id="kadm5-acl">

+ <section id="kadm5-acl">

-<div class="section" id="description">

+<section id="description">

<h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2>

The Kerberos <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8">kadmind</a> daemon uses an Access Control List

(ACL) file to manage access rights to the Kerberos database.

For operations that affect principals, the ACL file also controls

which principals can operate on which other principals.

The default location of the Kerberos ACL file is

-<a class="reference internal" href="../../mitK5defaults.html#paths">LOCALSTATEDIR</a><code class="docutils literal">/krb5kdc</code><code class="docutils literal">/kadm5.acl</code> unless this is overridden by the acl_file

+<a class="reference internal" href="../../mitK5defaults.html#paths">LOCALSTATEDIR</a><code class="docutils literal notranslate">/krb5kdc</code><code class="docutils literal notranslate">/kadm5.acl</code> unless this is overridden by the acl_file

variable in <a class="reference internal" href="kdc_conf.html#kdc-conf-5">kdc.conf</a>.

-</div>

-<div class="section" id="syntax">

+</section>

+<section id="syntax">

<h2>SYNTAX<a class="headerlink" href="#syntax" title="Permalink to this headline">¶</a></h2>

-Empty lines and lines starting with the sharp sign (<code class="docutils literal">#</code>) are

+Empty lines and lines starting with the sharp sign (<code class="docutils literal notranslate">#</code>) are

ignored. Lines containing ACL entries have the format:

-<div class="highlight-default"><div class="highlight"><pre>principal permissions [target_principal [restrictions] ]

+<div class="highlight-default notranslate"><div class="highlight"><pre>principal permissions [target_principal [restrictions] ]

</pre></div>

</div>

-Note

-Line order in the ACL file is important. The first matching entry

+Note

+Line order in the ACL file is important. The first matching entry

will control access for an actor principal on a target principal.

</div>

-<dl class="docutils">

-<dt>principal</dt>

-<dd>(Partially or fully qualified Kerberos principal name.) Specifies

+<dl>

+<dt>principal</dt><dd>(Partially or fully qualified Kerberos principal name.) Specifies

the principal whose permissions are to be set.

-Each component of the name may be wildcarded using the <code class="docutils literal">*</code>

+Each component of the name may be wildcarded using the <code class="docutils literal notranslate">*</code>

character.

</dd>

-<dt>permissions</dt>

-<dd>Specifies what operations may or may not be performed by a

+<dt>permissions</dt><dd>Specifies what operations may or may not be performed by a

principal matching a particular entry. This is a string of one or

more of the following list of characters or their upper-case

counterparts. If the character is upper-case, then the operation

is disallowed. If the character is lower-case, then the operation

is permitted.

-<table border="1" class="last docutils">

+<table class="docutils align-default">

-<col width="2%" />

-<col width="98%" />

+<col style="width: 2%" />

+<col style="width: 98%" />

</colgroup>

-<tbody valign="top">

-<tr class="row-odd"><td>a</td>

-<td>[Dis]allows the addition of principals or policies</td>

+<tbody>

+<tr class="row-odd"><td>a</td>

+<td>[Dis]allows the addition of principals or policies</td>

</tr>

-<tr class="row-even"><td>c</td>

-<td>[Dis]allows the changing of passwords for principals</td>

+<tr class="row-even"><td>c</td>

+<td>[Dis]allows the changing of passwords for principals</td>

</tr>

-<tr class="row-odd"><td>d</td>

-<td>[Dis]allows the deletion of principals or policies</td>

+<tr class="row-odd"><td>d</td>

+<td>[Dis]allows the deletion of principals or policies</td>

</tr>

-<tr class="row-even"><td>e</td>

-<td>[Dis]allows the extraction of principal keys</td>

+<tr class="row-even"><td>e</td>

+<td>[Dis]allows the extraction of principal keys</td>

</tr>

-<tr class="row-odd"><td>i</td>

-<td>[Dis]allows inquiries about principals or policies</td>

+<tr class="row-odd"><td>i</td>

+<td>[Dis]allows inquiries about principals or policies</td>

</tr>

-<tr class="row-even"><td>l</td>

-<td>[Dis]allows the listing of all principals or policies</td>

+<tr class="row-even"><td>l</td>

+<td>[Dis]allows the listing of all principals or policies</td>

</tr>

-<tr class="row-odd"><td>m</td>

-<td>[Dis]allows the modification of principals or policies</td>

+<tr class="row-odd"><td>m</td>

+<td>[Dis]allows the modification of principals or policies</td>

</tr>

-<tr class="row-even"><td>p</td>

-<td>[Dis]allows the propagation of the principal database (used in <a class="reference internal" href="../database.html#incr-db-prop">Incremental database propagation</a>)</td>

+<tr class="row-even"><td>p</td>

+<td>[Dis]allows the propagation of the principal database (used in <a class="reference internal" href="../database.html#incr-db-prop">Incremental database propagation</a>)</td>

</tr>

-<tr class="row-odd"><td>s</td>

-<td>[Dis]allows the explicit setting of the key for a principal</td>

+<tr class="row-odd"><td>s</td>

+<td>[Dis]allows the explicit setting of the key for a principal</td>

</tr>

-<tr class="row-even"><td>x</td>

-<td>Short for admcilsp. All privileges (except <code class="docutils literal">e</code>)</td>

+<tr class="row-even"><td>x</td>

+<td>Short for admcilsp. All privileges (except <code class="docutils literal notranslate">e</code>)</td>

</tr>

-<tr class="row-odd"><td>*</td>

-<td>Same as x.</td>

+<tr class="row-odd"><td>*</td>

+<td>Same as x.</td>

</tr>

</tbody>

</table>

</dd>

</dl>

-Note

-The <code class="docutils literal">extract</code> privilege is not included in the wildcard

+Note

+The <code class="docutils literal notranslate">extract</code> privilege is not included in the wildcard

privilege; it must be explicitly assigned. This privilege

allows the user to extract keys from the database, and must be

handled with great care to avoid disclosure of important keys

@@ -153,47 +142,45 @@ like those of the kadmin/* or krbtgt/* principals. The

key extraction from specific principals regardless of the

granted privilege.

</div>

-<dl class="docutils">

-<dt>target_principal</dt>

-<dd>(Optional. Partially or fully qualified Kerberos principal name.)

+<dl>

+<dt>target_principal</dt><dd>(Optional. Partially or fully qualified Kerberos principal name.)

Specifies the principal on which permissions may be applied.

-Each component of the name may be wildcarded using the <code class="docutils literal">*</code>

+Each component of the name may be wildcarded using the <code class="docutils literal notranslate">*</code>

character.

-target_principal can also include back-references to principal,

-in which <code class="docutils literal">*number</code> matches the corresponding wildcard in

+target_principal can also include back-references to principal,

+in which <code class="docutils literal notranslate">*number</code> matches the corresponding wildcard in

principal.

</dd>

-<dt>restrictions</dt>

-<dd>(Optional) A string of flags. Allowed restrictions are:

+<dt>restrictions</dt><dd>(Optional) A string of flags. Allowed restrictions are:

-<div><dl class="docutils">

-<dt>{+|-}flagname</dt>

-<dd>flag is forced to the indicated value. The permissible flags

+<div><dl class="simple">

+<dt>{+|-}flagname</dt><dd>flag is forced to the indicated value. The permissible flags

are the same as those for the default_principal_flags

-variable in <a class="reference internal" href="kdc_conf.html#kdc-conf-5">kdc.conf</a>.</dd>

-<dt>-clearpolicy</dt>

-<dd>policy is forced to be empty.</dd>

-<dt>-policy pol</dt>

-<dd>policy is forced to be pol.</dd>

-<dt>-{expire, pwexpire, maxlife, maxrenewlife} time</dt>

-<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate">getdate time</a> string) associated value will be forced to

-MIN(time, requested value).</dd>

+variable in <a class="reference internal" href="kdc_conf.html#kdc-conf-5">kdc.conf</a>.

+</dd>

+<dt>-clearpolicy</dt><dd>policy is forced to be empty.

+</dd>

+<dt>-policy pol</dt><dd>policy is forced to be pol.

+</dd>

+<dt>-{expire, pwexpire, maxlife, maxrenewlife} time</dt><dd>(<a class="reference internal" href="../../basic/date_format.html#getdate">getdate time</a> string) associated value will be forced to

+MIN(time, requested value).

+</dd>

</dl>

</div></blockquote>

-The above flags act as restrictions on any add or modify operation

+The above flags act as restrictions on any add or modify operation

which is allowed due to that ACL line.

</dd>

</dl>

-Warning

-If the kadmind ACL file is modified, the kadmind daemon needs to be

+Warning

+If the kadmind ACL file is modified, the kadmind daemon needs to be

restarted for changes to take effect.

</div>

-</div>

-<div class="section" id="example">

+</section>

+<section id="example">

<h2>EXAMPLE<a class="headerlink" href="#example" title="Permalink to this headline">¶</a></h2>

Here is an example of a kadm5.acl file:

-<div class="highlight-default"><div class="highlight"><pre>*/admin@ATHENA.MIT.EDU * # line 1

+<div class="highlight-default notranslate"><div class="highlight"><pre>*/admin@ATHENA.MIT.EDU * # line 1

joeadmin@ATHENA.MIT.EDU ADMCIL # line 2

joeadmin/*@ATHENA.MIT.EDU i */root@ATHENA.MIT.EDU # line 3

*/root@ATHENA.MIT.EDU ci *1@ATHENA.MIT.EDU # line 4

@@ -201,31 +188,31 @@ restarted for changes to take effect.

sms@ATHENA.MIT.EDU x * -maxlife 9h -postdateable # line 6

</pre></div>

</div>

-(line 1) Any principal in the <code class="docutils literal">ATHENA.MIT.EDU</code> realm with an

-<code class="docutils literal">admin</code> instance has all administrative privileges except extracting

+(line 1) Any principal in the <code class="docutils literal notranslate">ATHENA.MIT.EDU</code> realm with an

+<code class="docutils literal notranslate">admin</code> instance has all administrative privileges except extracting

keys.

-(lines 1-3) The user <code class="docutils literal">joeadmin</code> has all permissions except

-extracting keys with his <code class="docutils literal">admin</code> instance,

-<code class="docutils literal">joeadmin/admin@ATHENA.MIT.EDU</code> (matches line 1). He has no

-permissions at all with his null instance, <code class="docutils literal">joeadmin@ATHENA.MIT.EDU</code>

-(matches line 2). His <code class="docutils literal">root</code> and other non-<code class="docutils literal">admin</code>, non-null

-instances (e.g., <code class="docutils literal">extra</code> or <code class="docutils literal">dbadmin</code>) have inquire permissions

-with any principal that has the instance <code class="docutils literal">root</code> (matches line 3).

-(line 4) Any <code class="docutils literal">root</code> principal in <code class="docutils literal">ATHENA.MIT.EDU</code> can inquire

+(lines 1-3) The user <code class="docutils literal notranslate">joeadmin</code> has all permissions except

+extracting keys with his <code class="docutils literal notranslate">admin</code> instance,

+<code class="docutils literal notranslate">joeadmin/admin@ATHENA.MIT.EDU</code> (matches line 1). He has no

+permissions at all with his null instance, <code class="docutils literal notranslate">joeadmin@ATHENA.MIT.EDU</code>

+(matches line 2). His <code class="docutils literal notranslate">root</code> and other non-<code class="docutils literal notranslate">admin</code>, non-null

+instances (e.g., <code class="docutils literal notranslate">extra</code> or <code class="docutils literal notranslate">dbadmin</code>) have inquire permissions

+with any principal that has the instance <code class="docutils literal notranslate">root</code> (matches line 3).

+(line 4) Any <code class="docutils literal notranslate">root</code> principal in <code class="docutils literal notranslate">ATHENA.MIT.EDU</code> can inquire

or change the password of their null instance, but not any other

-null instance. (Here, <code class="docutils literal">*1</code> denotes a back-reference to the

+null instance. (Here, <code class="docutils literal notranslate">*1</code> denotes a back-reference to the

component matching the first wildcard in the actor principal.)

-(line 5) Any <code class="docutils literal">root</code> principal in <code class="docutils literal">ATHENA.MIT.EDU</code> can generate

+(line 5) Any <code class="docutils literal notranslate">root</code> principal in <code class="docutils literal notranslate">ATHENA.MIT.EDU</code> can generate

the list of principals in the database, and the list of policies

in the database. This line is separate from line 4, because list

permission can only be granted globally, not to specific target

principals.

(line 6) Finally, the Service Management System principal

-<code class="docutils literal">sms@ATHENA.MIT.EDU</code> has all permissions except extracting keys, but

+<code class="docutils literal notranslate">sms@ATHENA.MIT.EDU</code> has all permissions except extracting keys, but

any principal that it creates or modifies will not be able to get

postdateable tickets or tickets with a life of longer than 9 hours.

-</div>

-<div class="section" id="module-behavior">

+</section>

+<section id="module-behavior">

<h2>MODULE BEHAVIOR<a class="headerlink" href="#module-behavior" title="Permalink to this headline">¶</a></h2>

The ACL file can coexist with other authorization modules in release

1.16 and later, as configured in the <a class="reference internal" href="krb5_conf.html#kadm5-auth">kadm5_auth interface</a> section of

@@ -234,20 +221,22 @@ operations according to the rules above, but will never

authoritatively deny an operation, so other modules can authorize

operations in addition to those authorized by the ACL file.

To operate without an ACL file, set the acl_file variable in

-<a class="reference internal" href="kdc_conf.html#kdc-conf-5">kdc.conf</a> to the empty string with <code class="docutils literal">acl_file = ""</code>.

-</div>

-<div class="section" id="see-also">

+<a class="reference internal" href="kdc_conf.html#kdc-conf-5">kdc.conf</a> to the empty string with <code class="docutils literal notranslate">acl_file = ""</code>.

+</section>

+<section id="see-also">

<a class="reference internal" href="kdc_conf.html#kdc-conf-5">kdc.conf</a>, <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8">kadmind</a>

-</div>

+</section>

+ <div class="clearer"></div>

</div>

<ul>

@@ -316,6 +305,7 @@ operations in addition to those authorized by the ACL file.

</form>

</div>

</div>

@@ -323,8 +313,8 @@ operations in addition to those authorized by the ACL file.

- <div class="right" >Release: 1.21.2

+ <div class="right" >Release: 1.21.3

</div>