Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Sunday, January 12, 2020 7:17 PM, Russ Allbery <ea...@eyrie.org> wrote:
> Laura Smith n5d9xq3ti233xiyif...@protonmail.ch writes:
>
> > I am trying to create a suitably restricted user for use with
> > configuration automation (SaltStack ). My line looks like the following:
>
> > saltstack/ad...@example.com ADMCIL nfs/*@EXAMPLE.COM
>
> > I have edited kadm5.acl and restarted kadmind, however list_princs
> > returns a list of all principals, not just nfs/* ?
>
> > If I remove the target column (i.e. saltstack/ad...@example.com ADMCIL)
> > and restart kadmind, then ADMCIL operates as expected (blocks
> > list_princs entirely).
>
> I don't believe the "l" permission supports the target field. I think
> it's all or nothing: either you can list all principals or you can't. The
> man page for kadm5.acl seems to support that:
>
> l [Dis]allows the listing of all principals or policies
>
> ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Russ Allbery (ea...@eyrie.org) https://www.eyrie.org/~eagle/
Hi Russ,
Fair enough, but I can still add/delete principals even with ADMCIL (e.g. I
could add test/test, which should not be possible with a nfs/* restriction ?)
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
