Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Sunday, January 12, 2020 7:17 PM, Russ Allbery <[email protected]> wrote:
> Laura Smith [email protected] writes:
>
> > I am trying to create a suitably restricted user for use with
> > configuration automation (SaltStack ). My line looks like the following:
>
> > saltstack/[email protected] ADMCIL nfs/*@EXAMPLE.COM
>
> > I have edited kadm5.acl and restarted kadmind, however list_princs
> > returns a list of all principals, not just nfs/* ?
>
> > If I remove the target column (i.e. saltstack/[email protected] ADMCIL)
> > and restart kadmind, then ADMCIL operates as expected (blocks
> > list_princs entirely).
>
> I don't believe the "l" permission supports the target field. I think
> it's all or nothing: either you can list all principals or you can't. The
> man page for kadm5.acl seems to support that:
>
> l [Dis]allows the listing of all principals or policies
>
> ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Russ Allbery ([email protected]) https://www.eyrie.org/~eagle/
Hi Russ,
Fair enough, but I can still add/delete principals even with ADMCIL (e.g. I
could add test/test, which should not be possible with a nfs/* restriction ?)
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
