From 858629508d9e510d99afd5a4b2d9d6157f0d59e8 Mon Sep 17 00:00:00 2001 From: Paul Park Date: Thu, 31 Aug 1995 20:11:46 +0000 Subject: [PATCH] Update ACL file description git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@6644 dc483132-0cff-0310-8789-dd5450dbe970 --- src/kadmin/v5server/kadmind5.M | 33 ++++++++++++++++++++++++++++++--- 1 file changed, 30 insertions(+), 3 deletions(-) diff --git a/src/kadmin/v5server/kadmind5.M b/src/kadmin/v5server/kadmind5.M index 88eafc01a..7de71150a 100644 --- a/src/kadmin/v5server/kadmind5.M +++ b/src/kadmin/v5server/kadmind5.M @@ -128,7 +128,8 @@ Specifies that the daemon is not to operate in the background. .SH ACL FILE .PP The ACL file controls which principals can or cannot perform which -administrative functions. This file can contain comment lines, null +administrative functions on which principals. +This file can contain comment lines, null lines or lines which contain ACL entries. Comment lines start with the sharp sign ( .B \# @@ -136,9 +137,14 @@ the sharp sign ( entries have the format of .B principal .I whitespace -.B operation-mask. +.B operation-mask +[ +.I whitespace +.B operation-target +] + Ordering is important. The first matching entry is the one which will -control access for a particular principal. +control access for a particular principal on a particular principal. .PP .IP principal may specify a partially or fully qualified Kerberos version 5 @@ -146,6 +152,12 @@ principal name. Each component of the name may be wildcarded using the asterisk ( .B * ) character. +.IP operation-target +[Optional] may specify a partially or fully qualified Kerberos version 5 +principal name. Each component of the name may be wildcarded using the +asterisk ( +.B * +) character. .IP operation-mask Specifies what operations may or may not be peformed by a principal matching a particular entry. This is a string of one or more of the @@ -196,6 +208,13 @@ only applies to this principal and specifies that [s]he may add, delete or modify principals and change his/her own password, but not anybody elses. .TP 2i +.I user/instance@realm ceim service/instance@realm +A standard fully qualified name and a standard fully qualified target. The +.B operation-mask +only applies to this principal operating on this target and specifies that +[s]he may change the target's password, extract its service key, request +information about the target and modify it. +.TP 2i .I user/*@realm aw A wildcarded name. The .B operation-mask @@ -203,6 +222,14 @@ applies to all principals in realm "realm" whose first component is "user" and specifies that [s]he may add principals and change anybody else's password or change his/her own. .TP 2i +.I user/*@realm ei */instance@realm +A wildcarded name and target. The +.B operation-mask +applies to all principals in realm "realm" whose first component is +"user" and specifies that [s]he may extract service keys for or perform +inquiries on principals whose second component is "instance" and realm +is "realm". +.TP 2i .I * o The catchall entry. The .B operation-mask -- 2.26.2