kadm5.acl - Kerberos ACL file
Please see following description for synopsis
KADM5.ACL(5) MIT Kerberos KADM5.ACL(5)
NAME
kadm5.acl - Kerberos ACL file
DESCRIPTION
The Kerberos kadmind(8) daemon uses an Access Control List (ACL) file
to manage access rights to the Kerberos database. For operations that
affect principals, the ACL file also controls which principals can
operate on which other principals.
The default location of the Kerberos ACL file is /var/krb5/kadm5.acl
unless this is overridden by the acl_file variable in kdc.conf(5).
SYNTAX
Empty lines and lines starting with the sharp sign (#) are ignored.
Lines containing ACL entries have the format:
principal permissions [target_principal [restrictions] ]
NOTE:
Line order in the ACL file is important. The first matching entry
will control access for an actor principal on a target principal.
principal
(Partially or fully qualified Kerberos principal name.) Speci-
fies the principal whose permissions are to be set.
Each component of the name may be wildcarded using the * charac-
ter.
permissions
Specifies what operations may or may not be performed by a prin-
cipal matching a particular entry. This is a string of one or
more of the following list of characters or their upper-case
counterparts. If the character is upper-case, then the opera-
tion is disallowed. If the character is lower-case, then the
operation is permitted.
+--+----------------------------+
|a | [Dis]allows the addition |
| | of principals or policies |
+--+----------------------------+
|c | [Dis]allows the changing |
| | of passwords for princi- |
| | pals |
+--+----------------------------+
|d | [Dis]allows the deletion |
| | of principals or policies |
+--+----------------------------+
|e | [Dis]allows the extraction |
| | of principal keys |
+--+----------------------------+
|i | [Dis]allows inquiries |
| | about principals or poli- |
| | cies |
+--+----------------------------+
|l | [Dis]allows the listing of |
| | all principals or policies |
+--+----------------------------+
|m | [Dis]allows the modifica- |
| | tion of principals or |
| | policies |
+--+----------------------------+
|p | [Dis]allows the propaga- |
| | tion of the principal |
| | database (used in |
| | incr_db_prop) |
+--+----------------------------+
|s | [Dis]allows the explicit |
| | setting of the key for a |
| | principal |
+--+----------------------------+
|u | [Dis]allows the creation |
| | of one-component user |
| | principals whose password |
| | can be validated with PAM |
+--+----------------------------+
|x | Short for admcilsp. All |
| | privileges (except e) |
+--+----------------------------+
|* | Same as x. |
+--+----------------------------+
NOTE:
The extract privilege is not included in the wildcard privilege; it
must be explicitly assigned. This privilege allows the user to
extract keys from the database, and must be handled with great care
to avoid disclosure of important keys like those of the kadmin/* or
krbtgt/* principals. The lockdown_keys principal attribute can be
used to prevent key extraction from specific principals regardless
of the granted privilege.
target_principal
(Optional. Partially or fully qualified Kerberos principal
name.) Specifies the principal on which permissions may be
applied. Each component of the name may be wildcarded using the
* character.
target_principal can also include back-references to principal,
in which *number matches the corresponding wildcard in princi-
pal.
restrictions
(Optional) A string of flags. Allowed restrictions are:
{+|-}flagname
flag is forced to the indicated value. The permissi-
ble flags are the same as those for the default_prin-
cipal_flags variable in kdc.conf(5).
-clearpolicy
policy is forced to be empty.
-policy pol
policy is forced to be pol.
-{expire, pwexpire, maxlife, maxrenewlife} time
(getdate string) associated value will be forced to
MIN(time, requested value).
The above flags act as restrictions on any add or modify opera-
tion which is allowed due to that ACL line.
WARNING:
If the kadmind ACL file is modified, the kadmind daemon needs to be
restarted for changes to take effect.
EXAMPLE
Here is an example of a kadm5.acl file:
*/admin@ATHENA.MIT.EDU * # line 1
joeadmin@ATHENA.MIT.EDU ADMCIL # line 2
joeadmin/*@ATHENA.MIT.EDU i */root@ATHENA.MIT.EDU # line 3
*/root@ATHENA.MIT.EDU ci *1@ATHENA.MIT.EDU # line 4
*/root@ATHENA.MIT.EDU l * # line 5
sms@ATHENA.MIT.EDU x * -maxlife 9h -postdateable # line 6
(line 1) Any principal in the ATHENA.MIT.EDU realm with an admin
instance has all administrative privileges except extracting keys.
(lines 1-3) The user joeadmin has all permissions except extracting
keys with his admin instance, joeadmin/admin@ATHENA.MIT.EDU (matches
line 1). He has no permissions at all with his null instance, joead-
min@ATHENA.MIT.EDU (matches line 2). His root and other non-admin,
non-null instances (e.g., extra or dbadmin) have inquire permissions
with any principal that has the instance root (matches line 3).
(line 4) Any root principal in ATHENA.MIT.EDU can inquire or change the
password of their null instance, but not any other null instance.
(Here, *1 denotes a back-reference to the component matching the first
wildcard in the actor principal.)
(line 5) Any root principal in ATHENA.MIT.EDU can generate the list of
principals in the database, and the list of policies in the database.
This line is separate from line 4, because list permission can only be
granted globally, not to specific target principals.
(line 6) Finally, the Service Management System principal
sms@ATHENA.MIT.EDU has all permissions except extracting keys, but any
principal that it creates or modifies will not be able to get postdate-
able tickets or tickets with a life of longer than 9 hours.
MODULE BEHAVIOR
The ACL file can coexist with other authorization modules in release
1.16 and later, as configured in the kadm5_auth section of
krb5.conf(5). The ACL file will positively authorize operations
according to the rules above, but will never authoritatively deny an
operation, so other modules can authorize operations in addition to
those authorized by the ACL file.
To operate without an ACL file, set the acl_file variable in
kdc.conf(5) to the empty string with acl_file = "".
ATTRIBUTES
See attributes(7) for descriptions of the following attributes:
+---------------+-------------------------+
|ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+---------------+-------------------------+
|Availability | security/kerberos-5/kdc |
+---------------+-------------------------+
|Stability | Pass-through committed |
+---------------+-------------------------+
SEE ALSO
kdc.conf(5), kadmind(8)
AUTHOR
MIT
COPYRIGHT
1985-2021, MIT
NOTES
Source code for open source software components in Oracle Solaris can
be found at https://www.oracle.com/downloads/opensource/solaris-source-
code-downloads.html.
This software was built from source available at
https://github.com/oracle/solaris-userland. The original community
source was downloaded from http://web.mit.edu/ker-
beros/dist/krb5/1.18/krb5-1.18.4.tar.gz.
Further information about this software can be found on the open source
community website at http://web.mit.edu/kerberos/.
1.18.4 KADM5.ACL(5)