}
if (CHANGEPW_SERVICE(rqstp)
- || !acl_check(handle->context, rqst2name(rqstp), ACL_ADD,
+ || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_ADD,
arg->rec.principal, &rp)
- || acl_impose_restrictions(handle->context,
+ || kadm5int_acl_impose_restrictions(handle->context,
&arg->rec, &arg->mask, rp)) {
ret.code = KADM5_AUTH_ADD;
krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_principal",
}
if (CHANGEPW_SERVICE(rqstp)
- || !acl_check(handle->context, rqst2name(rqstp), ACL_ADD,
+ || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_ADD,
arg->rec.principal, &rp)
- || acl_impose_restrictions(handle->context,
+ || kadm5int_acl_impose_restrictions(handle->context,
&arg->rec, &arg->mask, rp)) {
ret.code = KADM5_AUTH_ADD;
krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_principal",
}
if (CHANGEPW_SERVICE(rqstp)
- || !acl_check(handle->context, rqst2name(rqstp), ACL_DELETE,
+ || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_DELETE,
arg->princ, NULL)) {
ret.code = KADM5_AUTH_DELETE;
krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_delete_principal",
}
if (CHANGEPW_SERVICE(rqstp)
- || !acl_check(handle->context, rqst2name(rqstp), ACL_MODIFY,
+ || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_MODIFY,
arg->rec.principal, &rp)
- || acl_impose_restrictions(handle->context,
+ || kadm5int_acl_impose_restrictions(handle->context,
&arg->rec, &arg->mask, rp)) {
ret.code = KADM5_AUTH_MODIFY;
krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_modify_principal",
ret.code = KADM5_OK;
if (! CHANGEPW_SERVICE(rqstp)) {
- if (!acl_check(handle->context, rqst2name(rqstp),
+ if (!kadm5int_acl_check(handle->context, rqst2name(rqstp),
ACL_DELETE, arg->src, NULL))
ret.code = KADM5_AUTH_DELETE;
/* any restrictions at all on the ADD kills the RENAME */
- if (!acl_check(handle->context, rqst2name(rqstp),
+ if (!kadm5int_acl_check(handle->context, rqst2name(rqstp),
ACL_ADD, arg->dest, &rp) || rp) {
if (ret.code == KADM5_AUTH_DELETE)
ret.code = KADM5_AUTH_INSUFFICIENT;
}
if (! cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ) &&
- (CHANGEPW_SERVICE(rqstp) || !acl_check(handle->context,
+ (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
rqst2name(rqstp),
ACL_INQUIRE,
arg->princ,
if (prime_arg == NULL)
prime_arg = "*";
- if (CHANGEPW_SERVICE(rqstp) || !acl_check(handle->context,
+ if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
rqst2name(rqstp),
ACL_LIST,
NULL,
ret.code = chpass_principal_wrapper_3((void *)handle, arg->princ,
FALSE, 0, NULL, arg->pass);
} else if (!(CHANGEPW_SERVICE(rqstp)) &&
- acl_check(handle->context, rqst2name(rqstp),
+ kadm5int_acl_check(handle->context, rqst2name(rqstp),
ACL_CHANGEPW, arg->princ, NULL)) {
ret.code = kadm5_chpass_principal((void *)handle, arg->princ,
arg->pass);
arg->ks_tuple,
arg->pass);
} else if (!(CHANGEPW_SERVICE(rqstp)) &&
- acl_check(handle->context, rqst2name(rqstp),
+ kadm5int_acl_check(handle->context, rqst2name(rqstp),
ACL_CHANGEPW, arg->princ, NULL)) {
ret.code = kadm5_chpass_principal_3((void *)handle, arg->princ,
arg->keepold,
}
if (!(CHANGEPW_SERVICE(rqstp)) &&
- acl_check(handle->context, rqst2name(rqstp),
+ kadm5int_acl_check(handle->context, rqst2name(rqstp),
ACL_SETKEY, arg->princ, NULL)) {
ret.code = kadm5_setv4key_principal((void *)handle, arg->princ,
arg->keyblock);
}
if (!(CHANGEPW_SERVICE(rqstp)) &&
- acl_check(handle->context, rqst2name(rqstp),
+ kadm5int_acl_check(handle->context, rqst2name(rqstp),
ACL_SETKEY, arg->princ, NULL)) {
ret.code = kadm5_setkey_principal((void *)handle, arg->princ,
arg->keyblocks, arg->n_keys);
}
if (!(CHANGEPW_SERVICE(rqstp)) &&
- acl_check(handle->context, rqst2name(rqstp),
+ kadm5int_acl_check(handle->context, rqst2name(rqstp),
ACL_SETKEY, arg->princ, NULL)) {
ret.code = kadm5_setkey_principal_3((void *)handle, arg->princ,
arg->keepold,
ret.code = randkey_principal_wrapper_3((void *)handle, arg->princ,
FALSE, 0, NULL, &k, &nkeys);
} else if (!(CHANGEPW_SERVICE(rqstp)) &&
- acl_check(handle->context, rqst2name(rqstp),
+ kadm5int_acl_check(handle->context, rqst2name(rqstp),
ACL_CHANGEPW, arg->princ, NULL)) {
ret.code = kadm5_randkey_principal((void *)handle, arg->princ,
&k, &nkeys);
arg->ks_tuple,
&k, &nkeys);
} else if (!(CHANGEPW_SERVICE(rqstp)) &&
- acl_check(handle->context, rqst2name(rqstp),
+ kadm5int_acl_check(handle->context, rqst2name(rqstp),
ACL_CHANGEPW, arg->princ, NULL)) {
ret.code = kadm5_randkey_principal_3((void *)handle, arg->princ,
arg->keepold,
}
prime_arg = arg->rec.policy;
- if (CHANGEPW_SERVICE(rqstp) || !acl_check(handle->context,
+ if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
rqst2name(rqstp),
ACL_ADD, NULL, NULL)) {
ret.code = KADM5_AUTH_ADD;
}
prime_arg = arg->name;
- if (CHANGEPW_SERVICE(rqstp) || !acl_check(handle->context,
+ if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
rqst2name(rqstp),
ACL_DELETE, NULL, NULL)) {
krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_delete_policy",
}
prime_arg = arg->rec.policy;
- if (CHANGEPW_SERVICE(rqstp) || !acl_check(handle->context,
+ if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
rqst2name(rqstp),
ACL_MODIFY, NULL, NULL)) {
krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_modify_policy",
prime_arg = arg->name;
ret.code = KADM5_AUTH_GET;
- if (!CHANGEPW_SERVICE(rqstp) && acl_check(handle->context,
+ if (!CHANGEPW_SERVICE(rqstp) && kadm5int_acl_check(handle->context,
rqst2name(rqstp),
ACL_INQUIRE, NULL, NULL))
ret.code = KADM5_OK;
if (prime_arg == NULL)
prime_arg = "*";
- if (CHANGEPW_SERVICE(rqstp) || !acl_check(handle->context,
+ if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context,
rqst2name(rqstp),
ACL_LIST, NULL, NULL)) {
ret.code = KADM5_AUTH_LIST;
/*
- * kadmin/v5server/srv_acl.c
+ * lib/kadm5/srv/server_acl.c
*
- * Copyright 1995 by the Massachusetts Institute of Technology.
+ * Copyright 1995-2004 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
\f
/*
- * acl_get_line() - Get a line from the ACL file.
+ * kadm5int_acl_get_line() - Get a line from the ACL file.
* Lines ending with \ are continued on the next line
*/
static char *
-acl_get_line(fp, lnp)
+kadm5int_acl_get_line(fp, lnp)
FILE *fp;
int *lnp; /* caller should set to 1 before first call */
{
}
\f
/*
- * acl_parse_line() - Parse the contents of an ACL line.
+ * kadm5int_acl_parse_line() - Parse the contents of an ACL line.
*/
static aent_t *
-acl_parse_line(lp)
+kadm5int_acl_parse_line(lp)
const char *lp;
{
static char acle_principal[BUFSIZ];
int t, found, opok, nmatch;
DPRINT(DEBUG_CALLS, acl_debug_level,
- ("* acl_parse_line(line=%20s)\n", lp));
+ ("* kadm5int_acl_parse_line(line=%20s)\n", lp));
/*
* Format is still simple:
* entry ::= [<whitespace>] <principal> <whitespace> <opstring>
}
}
DPRINT(DEBUG_CALLS, acl_debug_level,
- ("X acl_parse_line() = %x\n", (long) acle));
+ ("X kadm5int_acl_parse_line() = %x\n", (long) acle));
return(acle);
}
\f
/*
- * acl_parse_restrictions() - Parse optional restrictions field
+ * kadm5int_acl_parse_restrictions() - Parse optional restrictions field
*
* Allowed restrictions are:
* [+-]flagname (recognized by krb5_string_to_flags)
* Returns: 0 on success, or system errors
*/
static krb5_error_code
-acl_parse_restrictions(s, rpp)
+kadm5int_acl_parse_restrictions(s, rpp)
char *s;
restriction_t **rpp;
{
krb5_error_code code;
DPRINT(DEBUG_CALLS, acl_debug_level,
- ("* acl_parse_restrictions(s=%20s, rpp=0x%08x)\n", s, (long)rpp));
+ ("* kadm5int_acl_parse_restrictions(s=%20s, rpp=0x%08x)\n", s, (long)rpp));
*rpp = (restriction_t *) NULL;
code = 0;
*rpp = (restriction_t *) NULL;
}
DPRINT(DEBUG_CALLS, acl_debug_level,
- ("X acl_parse_restrictions() = %d, mask=0x%08x\n",
+ ("X kadm5int_acl_parse_restrictions() = %d, mask=0x%08x\n",
code, (*rpp) ? (*rpp)->mask : 0));
return code;
}
\f
/*
- * acl_impose_restrictions() - impose restrictions, modifying *recp, *maskp
+ * kadm5int_acl_impose_restrictions() - impose restrictions, modifying *recp, *maskp
*
* Returns: 0 on success;
* malloc or timeofday errors
*/
krb5_error_code
-acl_impose_restrictions(kcontext, recp, maskp, rp)
+kadm5int_acl_impose_restrictions(kcontext, recp, maskp, rp)
krb5_context kcontext;
kadm5_principal_ent_rec *recp;
long *maskp;
krb5_int32 now;
DPRINT(DEBUG_CALLS, acl_debug_level,
- ("* acl_impose_restrictions(..., *maskp=0x%08x, rp=0x%08x)\n",
+ ("* kadm5int_acl_impose_restrictions(..., *maskp=0x%08x, rp=0x%08x)\n",
*maskp, (long)rp));
if (!rp)
return 0;
*maskp |= KADM5_MAX_RLIFE;
}
DPRINT(DEBUG_CALLS, acl_debug_level,
- ("X acl_impose_restrictions() = 0, *maskp=0x%08x\n", *maskp));
+ ("X kadm5int_acl_impose_restrictions() = 0, *maskp=0x%08x\n", *maskp));
return 0;
}
\f
/*
- * acl_free_entries() - Free all ACL entries.
+ * kadm5int_acl_free_entries() - Free all ACL entries.
*/
static void
-acl_free_entries()
+kadm5int_acl_free_entries()
{
aent_t *ap;
aent_t *np;
- DPRINT(DEBUG_CALLS, acl_debug_level, ("* acl_free_entries()\n"));
+ DPRINT(DEBUG_CALLS, acl_debug_level, ("* kadm5int_acl_free_entries()\n"));
for (ap=acl_list_head; ap; ap = np) {
if (ap->ae_name)
free(ap->ae_name);
}
acl_list_head = acl_list_tail = (aent_t *) NULL;
acl_inited = 0;
- DPRINT(DEBUG_CALLS, acl_debug_level, ("X acl_free_entries()\n"));
+ DPRINT(DEBUG_CALLS, acl_debug_level, ("X kadm5int_acl_free_entries()\n"));
}
\f
/*
- * acl_load_acl_file() - Open and parse the ACL file.
+ * kadm5int_acl_load_acl_file() - Open and parse the ACL file.
*/
static int
-acl_load_acl_file()
+kadm5int_acl_load_acl_file()
{
FILE *afp;
char *alinep;
int alineno;
int retval = 1;
- DPRINT(DEBUG_CALLS, acl_debug_level, ("* acl_load_acl_file()\n"));
+ DPRINT(DEBUG_CALLS, acl_debug_level, ("* kadm5int_acl_load_acl_file()\n"));
/* Open the ACL file for read */
afp = fopen(acl_acl_file, "r");
if (afp) {
aentpp = &acl_list_head;
/* Get a non-comment line */
- while ((alinep = acl_get_line(afp, &alineno))) {
+ while ((alinep = kadm5int_acl_get_line(afp, &alineno))) {
/* Parse it */
- *aentpp = acl_parse_line(alinep);
+ *aentpp = kadm5int_acl_parse_line(alinep);
/* If syntax error, then fall out */
if (!*aentpp) {
krb5_klog_syslog(LOG_ERR, acl_syn_err_msg,
fclose(afp);
if (acl_catchall_entry) {
- *aentpp = acl_parse_line(acl_catchall_entry);
+ *aentpp = kadm5int_acl_parse_line(acl_catchall_entry);
if (*aentpp) {
acl_list_tail = *aentpp;
}
krb5_klog_syslog(LOG_ERR, acl_cantopen_msg,
error_message(errno), acl_acl_file);
if (acl_catchall_entry &&
- (acl_list_head = acl_parse_line(acl_catchall_entry))) {
+ (acl_list_head = kadm5int_acl_parse_line(acl_catchall_entry))) {
acl_list_tail = acl_list_head;
}
else {
}
if (!retval) {
- acl_free_entries();
+ kadm5int_acl_free_entries();
}
DPRINT(DEBUG_CALLS, acl_debug_level,
- ("X acl_load_acl_file() = %d\n", retval));
+ ("X kadm5int_acl_load_acl_file() = %d\n", retval));
return(retval);
}
\f
/*
- * acl_match_data() - See if two data entries match.
+ * kadm5int_acl_match_data() - See if two data entries match.
*
* Wildcarding is only supported for a whole component.
*/
static krb5_boolean
-acl_match_data(e1, e2, targetflag, ws)
+kadm5int_acl_match_data(e1, e2, targetflag, ws)
krb5_data *e1, *e2;
int targetflag;
wildstate_t *ws;
}
\f
/*
- * acl_find_entry() - Find a matching entry.
+ * kadm5int_acl_find_entry() - Find a matching entry.
*/
static aent_t *
-acl_find_entry(kcontext, principal, dest_princ)
+kadm5int_acl_find_entry(kcontext, principal, dest_princ)
krb5_context kcontext;
krb5_principal principal;
krb5_principal dest_princ;
int matchgood;
wildstate_t state;
- DPRINT(DEBUG_CALLS, acl_debug_level, ("* acl_find_entry()\n"));
+ DPRINT(DEBUG_CALLS, acl_debug_level, ("* kadm5int_acl_find_entry()\n"));
memset((char *)&state, 0, sizeof state);
for (entry=acl_list_head; entry; entry = entry->ae_next) {
if (entry->ae_name_bad)
continue;
}
matchgood = 0;
- if (acl_match_data(&entry->ae_principal->realm,
+ if (kadm5int_acl_match_data(&entry->ae_principal->realm,
&principal->realm, 0, (wildstate_t *)0) &&
(entry->ae_principal->length == principal->length)) {
matchgood = 1;
for (i=0; i<principal->length; i++) {
- if (!acl_match_data(&entry->ae_principal->data[i],
+ if (!kadm5int_acl_match_data(&entry->ae_principal->data[i],
&principal->data[i], 0, &state)) {
matchgood = 0;
break;
if (!dest_princ)
matchgood = 0;
else if (entry->ae_target_princ && dest_princ) {
- if (acl_match_data(&entry->ae_target_princ->realm,
+ if (kadm5int_acl_match_data(&entry->ae_target_princ->realm,
&dest_princ->realm, 1, (wildstate_t *)0) &&
(entry->ae_target_princ->length == dest_princ->length)) {
for (i=0; i<dest_princ->length; i++) {
- if (!acl_match_data(&entry->ae_target_princ->data[i],
+ if (!kadm5int_acl_match_data(&entry->ae_target_princ->data[i],
&dest_princ->data[i], 1, &state)) {
matchgood = 0;
break;
if (entry->ae_restriction_string
&& !entry->ae_restriction_bad
&& !entry->ae_restrictions
- && acl_parse_restrictions(entry->ae_restriction_string,
+ && kadm5int_acl_parse_restrictions(entry->ae_restriction_string,
&entry->ae_restrictions)) {
DPRINT(DEBUG_ACL, acl_debug_level,
("Bad restrictions in ACL entry for %s\n", entry->ae_name));
}
break;
}
- DPRINT(DEBUG_CALLS, acl_debug_level, ("X acl_find_entry()=%x\n",entry));
+ DPRINT(DEBUG_CALLS, acl_debug_level, ("X kadm5int_acl_find_entry()=%x\n",entry));
return(entry);
}
\f
/*
- * acl_init() - Initialize ACL context.
+ * kadm5int_acl_init() - Initialize ACL context.
*/
krb5_error_code
-acl_init(kcontext, debug_level, acl_file)
+kadm5int_acl_init(kcontext, debug_level, acl_file)
krb5_context kcontext;
int debug_level;
char *acl_file;
kret = 0;
acl_debug_level = debug_level;
DPRINT(DEBUG_CALLS, acl_debug_level,
- ("* acl_init(afile=%s)\n",
+ ("* kadm5int_acl_init(afile=%s)\n",
((acl_file) ? acl_file : "(null)")));
acl_acl_file = (acl_file) ? acl_file : (char *) KRB5_DEFAULT_ADMIN_ACL;
- acl_inited = acl_load_acl_file();
+ acl_inited = kadm5int_acl_load_acl_file();
- DPRINT(DEBUG_CALLS, acl_debug_level, ("X acl_init() = %d\n", kret));
+ DPRINT(DEBUG_CALLS, acl_debug_level, ("X kadm5int_acl_init() = %d\n", kret));
return(kret);
}
\f
/*
- * acl_finish - Terminate ACL context.
+ * kadm5int_acl_finish - Terminate ACL context.
*/
void
-acl_finish(kcontext, debug_level)
+kadm5int_acl_finish(kcontext, debug_level)
krb5_context kcontext;
int debug_level;
{
- DPRINT(DEBUG_CALLS, acl_debug_level, ("* acl_finish()\n"));
- acl_free_entries();
- DPRINT(DEBUG_CALLS, acl_debug_level, ("X acl_finish()\n"));
+ DPRINT(DEBUG_CALLS, acl_debug_level, ("* kadm5int_acl_finish()\n"));
+ kadm5int_acl_free_entries();
+ DPRINT(DEBUG_CALLS, acl_debug_level, ("X kadm5int_acl_finish()\n"));
}
\f
/*
- * acl_check() - Is this operation permitted for this principal?
+ * kadm5int_acl_check() - Is this operation permitted for this principal?
* this code used not to be based on gssapi. In order
* to minimize porting hassles, I've put all the
* gssapi hair in this function. This might not be
* solution is, of course, a real authorization service.)
*/
krb5_boolean
-acl_check(kcontext, caller, opmask, principal, restrictions)
+kadm5int_acl_check(kcontext, caller, opmask, principal, restrictions)
krb5_context kcontext;
gss_name_t caller;
krb5_int32 opmask;
retval = 0;
- aentry = acl_find_entry(kcontext, caller_princ, principal);
+ aentry = kadm5int_acl_find_entry(kcontext, caller_princ, principal);
if (aentry) {
if ((aentry->ae_op_allowed & opmask) == opmask) {
retval = 1;