diff options
Diffstat (limited to 'doc/html/admin/conf_files/kadm5_acl.html')
| -rw-r--r-- | doc/html/admin/conf_files/kadm5_acl.html | 333 |
1 files changed, 333 insertions, 0 deletions
diff --git a/doc/html/admin/conf_files/kadm5_acl.html b/doc/html/admin/conf_files/kadm5_acl.html new file mode 100644 index 000000000000..640fc7bc1c9c --- /dev/null +++ b/doc/html/admin/conf_files/kadm5_acl.html @@ -0,0 +1,333 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> + + +<html xmlns="http://www.w3.org/1999/xhtml"> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> + + <title>kadm5.acl — MIT Kerberos Documentation</title> + + <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" /> + <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" /> + <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" /> + + <script type="text/javascript"> + var DOCUMENTATION_OPTIONS = { + URL_ROOT: '../../', + VERSION: '1.15.1', + COLLAPSE_INDEX: false, + FILE_SUFFIX: '.html', + HAS_SOURCE: true + }; + </script> + <script type="text/javascript" src="../../_static/jquery.js"></script> + <script type="text/javascript" src="../../_static/underscore.js"></script> + <script type="text/javascript" src="../../_static/doctools.js"></script> + <link rel="author" title="About these documents" href="../../about.html" /> + <link rel="copyright" title="Copyright" href="../../copyright.html" /> + <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" /> + <link rel="up" title="Configuration Files" href="index.html" /> + <link rel="next" title="Realm configuration decisions" href="../realm_config.html" /> + <link rel="prev" title="kdc.conf" href="kdc_conf.html" /> + </head> + <body> + <div class="header-wrapper"> + <div class="header"> + + + <h1><a href="../../index.html">MIT Kerberos Documentation</a></h1> + + <div class="rel"> + + <a href="../../index.html" title="Full Table of Contents" + accesskey="C">Contents</a> | + <a href="kdc_conf.html" title="kdc.conf" + accesskey="P">previous</a> | + <a href="../realm_config.html" title="Realm configuration decisions" + accesskey="N">next</a> | + <a href="../../genindex.html" title="General Index" + accesskey="I">index</a> | + <a href="../../search.html" title="Enter search criteria" + accesskey="S">Search</a> | + <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kadm5.acl">feedback</a> + </div> + </div> + </div> + + <div class="content-wrapper"> + <div class="content"> + <div class="document"> + + <div class="documentwrapper"> + <div class="bodywrapper"> + <div class="body"> + + <div class="section" id="kadm5-acl"> +<span id="kadm5-acl-5"></span><h1>kadm5.acl<a class="headerlink" href="#kadm5-acl" title="Permalink to this headline">¶</a></h1> +<div class="section" id="description"> +<h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2> +<p>The Kerberos <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> daemon uses an Access Control List +(ACL) file to manage access rights to the Kerberos database. +For operations that affect principals, the ACL file also controls +which principals can operate on which other principals.</p> +<p>The default location of the Kerberos ACL file is +<a class="reference internal" href="../../mitK5defaults.html#paths"><em>LOCALSTATEDIR</em></a><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/kadm5.acl</span></tt> unless this is overridden by the <em>acl_file</em> +variable in <a class="reference internal" href="kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>.</p> +</div> +<div class="section" id="syntax"> +<h2>SYNTAX<a class="headerlink" href="#syntax" title="Permalink to this headline">¶</a></h2> +<p>Empty lines and lines starting with the sharp sign (<tt class="docutils literal"><span class="pre">#</span></tt>) are +ignored. Lines containing ACL entries have the format:</p> +<div class="highlight-python"><div class="highlight"><pre>principal permissions [target_principal [restrictions] ] +</pre></div> +</div> +<div class="admonition note"> +<p class="first admonition-title">Note</p> +<p class="last">Line order in the ACL file is important. The first matching entry +will control access for an actor principal on a target principal.</p> +</div> +<dl class="docutils"> +<dt><em>principal</em></dt> +<dd><p class="first">(Partially or fully qualified Kerberos principal name.) Specifies +the principal whose permissions are to be set.</p> +<p class="last">Each component of the name may be wildcarded using the <tt class="docutils literal"><span class="pre">*</span></tt> +character.</p> +</dd> +<dt><em>permissions</em></dt> +<dd><p class="first">Specifies what operations may or may not be performed by a +<em>principal</em> matching a particular entry. This is a string of one or +more of the following list of characters or their upper-case +counterparts. If the character is <em>upper-case</em>, then the operation +is disallowed. If the character is <em>lower-case</em>, then the operation +is permitted.</p> +<table border="1" class="last docutils"> +<colgroup> +<col width="2%" /> +<col width="98%" /> +</colgroup> +<tbody valign="top"> +<tr class="row-odd"><td>a</td> +<td>[Dis]allows the addition of principals or policies</td> +</tr> +<tr class="row-even"><td>c</td> +<td>[Dis]allows the changing of passwords for principals</td> +</tr> +<tr class="row-odd"><td>d</td> +<td>[Dis]allows the deletion of principals or policies</td> +</tr> +<tr class="row-even"><td>e</td> +<td>[Dis]allows the extraction of principal keys</td> +</tr> +<tr class="row-odd"><td>i</td> +<td>[Dis]allows inquiries about principals or policies</td> +</tr> +<tr class="row-even"><td>l</td> +<td>[Dis]allows the listing of all principals or policies</td> +</tr> +<tr class="row-odd"><td>m</td> +<td>[Dis]allows the modification of principals or policies</td> +</tr> +<tr class="row-even"><td>p</td> +<td>[Dis]allows the propagation of the principal database (used in <a class="reference internal" href="../database.html#incr-db-prop"><em>Incremental database propagation</em></a>)</td> +</tr> +<tr class="row-odd"><td>s</td> +<td>[Dis]allows the explicit setting of the key for a principal</td> +</tr> +<tr class="row-even"><td>x</td> +<td>Short for admcilsp. All privileges (except <tt class="docutils literal"><span class="pre">e</span></tt>)</td> +</tr> +<tr class="row-odd"><td>*</td> +<td>Same as x.</td> +</tr> +</tbody> +</table> +</dd> +</dl> +<div class="admonition note"> +<p class="first admonition-title">Note</p> +<p class="last">The <tt class="docutils literal"><span class="pre">extract</span></tt> privilege is not included in the wildcard +privilege; it must be explicitly assigned. This privilege +allows the user to extract keys from the database, and must be +handled with great care to avoid disclosure of important keys +like those of the kadmin/* or krbtgt/* principals. The +<strong>lockdown_keys</strong> principal attribute can be used to prevent +key extraction from specific principals regardless of the +granted privilege.</p> +</div> +<dl class="docutils"> +<dt><em>target_principal</em></dt> +<dd><p class="first">(Optional. Partially or fully qualified Kerberos principal name.) +Specifies the principal on which <em>permissions</em> may be applied. +Each component of the name may be wildcarded using the <tt class="docutils literal"><span class="pre">*</span></tt> +character.</p> +<p class="last"><em>target_principal</em> can also include back-references to <em>principal</em>, +in which <tt class="docutils literal"><span class="pre">*number</span></tt> matches the corresponding wildcard in +<em>principal</em>.</p> +</dd> +<dt><em>restrictions</em></dt> +<dd><p class="first">(Optional) A string of flags. Allowed restrictions are:</p> +<blockquote> +<div><dl class="docutils"> +<dt>{+|-}<em>flagname</em></dt> +<dd>flag is forced to the indicated value. The permissible flags +are the same as those for the <strong>default_principal_flags</strong> +variable in <a class="reference internal" href="kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>.</dd> +<dt><em>-clearpolicy</em></dt> +<dd>policy is forced to be empty.</dd> +<dt><em>-policy pol</em></dt> +<dd>policy is forced to be <em>pol</em>.</dd> +<dt>-{<em>expire, pwexpire, maxlife, maxrenewlife</em>} <em>time</em></dt> +<dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) associated value will be forced to +MIN(<em>time</em>, requested value).</dd> +</dl> +</div></blockquote> +<p class="last">The above flags act as restrictions on any add or modify operation +which is allowed due to that ACL line.</p> +</dd> +</dl> +<div class="admonition warning"> +<p class="first admonition-title">Warning</p> +<p class="last">If the kadmind ACL file is modified, the kadmind daemon needs to be +restarted for changes to take effect.</p> +</div> +</div> +<div class="section" id="example"> +<h2>EXAMPLE<a class="headerlink" href="#example" title="Permalink to this headline">¶</a></h2> +<p>Here is an example of a kadm5.acl file:</p> +<div class="highlight-python"><div class="highlight"><pre>*/admin@ATHENA.MIT.EDU * # line 1 +joeadmin@ATHENA.MIT.EDU ADMCIL # line 2 +joeadmin/*@ATHENA.MIT.EDU i */root@ATHENA.MIT.EDU # line 3 +*/root@ATHENA.MIT.EDU ci *1@ATHENA.MIT.EDU # line 4 +*/root@ATHENA.MIT.EDU l * # line 5 +sms@ATHENA.MIT.EDU x * -maxlife 9h -postdateable # line 6 +</pre></div> +</div> +<p>(line 1) Any principal in the <tt class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></tt> realm with +an <tt class="docutils literal"><span class="pre">admin</span></tt> instance has all administrative privileges.</p> +<p>(lines 1-3) The user <tt class="docutils literal"><span class="pre">joeadmin</span></tt> has all permissions with his +<tt class="docutils literal"><span class="pre">admin</span></tt> instance, <tt class="docutils literal"><span class="pre">joeadmin/admin@ATHENA.MIT.EDU</span></tt> (matches line +1). He has no permissions at all with his null instance, +<tt class="docutils literal"><span class="pre">joeadmin@ATHENA.MIT.EDU</span></tt> (matches line 2). His <tt class="docutils literal"><span class="pre">root</span></tt> and other +non-<tt class="docutils literal"><span class="pre">admin</span></tt>, non-null instances (e.g., <tt class="docutils literal"><span class="pre">extra</span></tt> or <tt class="docutils literal"><span class="pre">dbadmin</span></tt>) have +inquire permissions with any principal that has the instance <tt class="docutils literal"><span class="pre">root</span></tt> +(matches line 3).</p> +<p>(line 4) Any <tt class="docutils literal"><span class="pre">root</span></tt> principal in <tt class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></tt> can inquire +or change the password of their null instance, but not any other +null instance. (Here, <tt class="docutils literal"><span class="pre">*1</span></tt> denotes a back-reference to the +component matching the first wildcard in the actor principal.)</p> +<p>(line 5) Any <tt class="docutils literal"><span class="pre">root</span></tt> principal in <tt class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></tt> can generate +the list of principals in the database, and the list of policies +in the database. This line is separate from line 4, because list +permission can only be granted globally, not to specific target +principals.</p> +<p>(line 6) Finally, the Service Management System principal +<tt class="docutils literal"><span class="pre">sms@ATHENA.MIT.EDU</span></tt> has all permissions, but any principal that it +creates or modifies will not be able to get postdateable tickets or +tickets with a life of longer than 9 hours.</p> +</div> +<div class="section" id="see-also"> +<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> +<p><a class="reference internal" href="kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>, <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a></p> +</div> +</div> + + + </div> + </div> + </div> + </div> + <div class="sidebar"> + <h2>On this page</h2> + <ul> +<li><a class="reference internal" href="#">kadm5.acl</a><ul> +<li><a class="reference internal" href="#description">DESCRIPTION</a></li> +<li><a class="reference internal" href="#syntax">SYNTAX</a></li> +<li><a class="reference internal" href="#example">EXAMPLE</a></li> +<li><a class="reference internal" href="#see-also">SEE ALSO</a></li> +</ul> +</li> +</ul> + + <br/> + <h2>Table of contents</h2> + <ul class="current"> +<li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li> +<li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current"> +<li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li> +<li class="toctree-l2 current"><a class="reference internal" href="index.html">Configuration Files</a><ul class="current"> +<li class="toctree-l3"><a class="reference internal" href="krb5_conf.html">krb5.conf</a></li> +<li class="toctree-l3"><a class="reference internal" href="kdc_conf.html">kdc.conf</a></li> +<li class="toctree-l3 current"><a class="current reference internal" href="">kadm5.acl</a></li> +</ul> +</li> +<li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> +<li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> +<li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> +<li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> +<li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> +<li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../otp.html">OTP Preauthentication</a></li> +<li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> +<li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> +<li class="toctree-l2"><a class="reference internal" href="../https.html">HTTPS proxy configuration</a></li> +<li class="toctree-l2"><a class="reference internal" href="../auth_indicator.html">Authentication indicators</a></li> +<li class="toctree-l2"><a class="reference internal" href="../admin_commands/index.html">Administration programs</a></li> +<li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li> +<li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li> +<li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li> +<li class="toctree-l2"><a class="reference internal" href="../advanced/index.html">Advanced topics</a></li> +<li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li> +</ul> +</li> +<li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../formats/index.html">Protocols and file formats</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../about.html">Contributing to the MIT Kerberos Documentation</a></li> +<li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li> +</ul> + + <br/> + <h4><a href="../../index.html">Full Table of Contents</a></h4> + <h4>Search</h4> + <form class="search" action="../../search.html" method="get"> + <input type="text" name="q" size="18" /> + <input type="submit" value="Go" /> + <input type="hidden" name="check_keywords" value="yes" /> + <input type="hidden" name="area" value="default" /> + </form> + </div> + <div class="clearer"></div> + </div> + </div> + + <div class="footer-wrapper"> + <div class="footer" > + <div class="right" ><i>Release: 1.15.1</i><br /> + © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. + </div> + <div class="left"> + + <a href="../../index.html" title="Full Table of Contents" + >Contents</a> | + <a href="kdc_conf.html" title="kdc.conf" + >previous</a> | + <a href="../realm_config.html" title="Realm configuration decisions" + >next</a> | + <a href="../../genindex.html" title="General Index" + >index</a> | + <a href="../../search.html" title="Enter search criteria" + >Search</a> | + <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kadm5.acl">feedback</a> + </div> + </div> + </div> + + </body> +</html>
\ No newline at end of file |