diff options
author | Remi Ferrand <remi.ferrand@cc.in2p3.fr> | 2014-04-03 19:29:03 +0200 |
---|---|---|
committer | Russ Allbery <rra@stanford.edu> | 2014-06-16 10:56:46 -0700 |
commit | 1ae63e2683e478de0224ea57ec46a6d1a7948936 (patch) | |
tree | 1cef21567d256bbc7a8fe7208074501a2ef5866e /docs | |
parent | 08e13f6e7afa64ba2b09e8f9a1a91acad9b77917 (diff) |
New implementation of `unxgrp` ACL scheme.
* As suggested by @rra, the principal is now converted to local
user name with `krb5_aname_to_localname`.
* Fix LICENSE issue by removing CeCILL headers and falling back
to global remctl license.
* Improve test suite to check for proper error handling.
Implementation remarks:
* As `krb5_aname_to_localname` requires principal to be from a known
realm to work, test suite now had to be run with a kerberos configuration
file that defines at least the realm `EXAMPLE.ORG`. I'd liked to use
function `kerberos_generate_conf()` defined in `tests/tap/kerberos.c`
but I wasn't able to find the script `tests/data/generate-krb5-conf`.
My solution was to use the sample configuration file provided with the java
bindings `java/k5.conf`.
If no realm `EXAMPLE.ORG` could be found in kerberos configuration file,
tests will fail like this:
```bash
$ ./tests/runtests -o ./tests/server/acl-unxgrp
1..14
ok 1 - ... with empty group
not ok 2 - ... with user within group
ok 3 - ... with user not in group
ok 4 - ... with principal with instances but main user in group
ok 5 - ... with long_principal very very long
ok 6 - ... match error message with principal too long
ok 7 - ... with user from not supported REALM
ok 8 - ... with getgrnam_r failing
ok 9 - ... with getgrnam_r error handling
ok 10 - ... with denied user in group
ok 11 - ... with user not in denied group but not allowed
not ok 12 - ... with user within group plus a deny pragma
ok 13 - ... with user in denied group plus a allow group pragma
ok 14 - ... with user neither in allowed or denied group
```
but with the sample configuration file shipped with the java bindings:
```bash
$ KRB5_CONFIG=../java/k5.conf ./tests/runtests -o ./tests/server/acl-unxgrp
1..14
ok 1 - ... with empty group
ok 2 - ... with user within group
ok 3 - ... with user not in group
ok 4 - ... with principal with instances but main user in group
ok 5 - ... with long_principal very very long
ok 6 - ... match error message with principal too long
ok 7 - ... with user from not supported REALM
ok 8 - ... with getgrnam_r failing
ok 9 - ... with getgrnam_r error handling
ok 10 - ... with denied user in group
ok 11 - ... with user not in denied group but not allowed
ok 12 - ... with user within group plus a deny pragma
ok 13 - ... with user in denied group plus a allow group pragma
ok 14 - ... with user neither in allowed or denied group
```
Change-Id: Iadb1b5f9f4e18297f08ac25cdc6c3a5510ecc584
Reviewed-on: https://gerrit.stanford.edu/1495
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
Diffstat (limited to 'docs')
-rw-r--r-- | docs/remctld.pod | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/docs/remctld.pod b/docs/remctld.pod index 24ebd62..5c2ad57 100644 --- a/docs/remctld.pod +++ b/docs/remctld.pod @@ -422,9 +422,14 @@ expressions was found when B<remctld> was built. =item unxgrp -This method is used to grant or deny access based on Unix group. -The user name is first sanitized (instances and REALM are removed from principal name), -and then compared to members of B<group>. +This method is used to grant or deny access using Unix groups. +The user principal is converted to a local user name with I<krb5_aname_to_localname(3)> +and then compared to the members of B<group>. +To allow access to the members of group B<goodguys>, use the C<unxgrp:goodguys> syntax, whereas +to deny access to the members of group B<badguys>, use the C<deny:unxgrp:badguys> syntax. + +Because of how I<krb5_aname_to_localname(3)> works, if the user principal isn't in one of +the local realms, access will be denied. =back |