1KADM5.ACL(5)                     MIT Kerberos                     KADM5.ACL(5)
2
3
4

NAME

6       kadm5.acl - Kerberos ACL file
7

DESCRIPTION

9       The  Kerberos  kadmind(8) daemon uses an Access Control List (ACL) file
10       to manage access rights to the Kerberos database.  For operations  that
11       affect  principals,  the  ACL  file  also controls which principals can
12       operate on which other principals.
13
14       The  default  location  of  the  Kerberos   ACL   file   is   /var/ker‐
15       beros/krb5kdc/kadm5.acl   unless  this  is  overridden  by the acl_file
16       variable in kdc.conf(5).
17

SYNTAX

19       Empty lines and lines starting with the sharp  sign  (#)  are  ignored.
20       Lines containing ACL entries have the format:
21
22          principal  permissions  [target_principal  [restrictions] ]
23
24       NOTE:
25          Line  order  in the ACL file is important.  The first matching entry
26          will control access for an actor principal on a target principal.
27
28       principal
29              (Partially or fully qualified Kerberos principal  name.)  Speci‐
30              fies the principal whose permissions are to be set.
31
32              Each component of the name may be wildcarded using the * charac‐
33              ter.
34
35       permissions
36              Specifies what operations may or may not be performed by a prin‐
37              cipal  matching  a particular entry.  This is a string of one or
38              more of the following list of  characters  or  their  upper-case
39              counterparts.   If  the character is upper-case, then the opera‐
40              tion is disallowed.  If the character is  lower-case,  then  the
41              operation is permitted.
42
43                              ┌──┬────────────────────────────┐
44                              │a │ [Dis]allows  the  addition │
45                              │  │ of principals or policies  │
46                              ├──┼────────────────────────────┤
47                              │c │ [Dis]allows  the  changing │
48                              │  │ of  passwords  for princi‐ │
49                              │  │ pals                       │
50                              ├──┼────────────────────────────┤
51                              │d │ [Dis]allows  the  deletion │
52                              │  │ of principals or policies  │
53                              ├──┼────────────────────────────┤
54                              │e │ [Dis]allows the extraction │
55                              │  │ of principal keys          │
56                              ├──┼────────────────────────────┤
57                              │i │ [Dis]allows      inquiries │
58                              │  │ about  principals or poli‐ │
59                              │  │ cies                       │
60                              ├──┼────────────────────────────┤
61                              │l │ [Dis]allows the listing of │
62                              │  │ all principals or policies │
63                              └──┴────────────────────────────┘
64
65
66
67                              │m │ [Dis]allows  the modifica‐ │
68                              │  │ tion  of   principals   or │
69                              │  │ policies                   │
70                              ├──┼────────────────────────────┤
71                              │p │ [Dis]allows  the  propaga‐ │
72                              │  │ tion  of   the   principal │
73                              │  │ database      (used     in │
74                              │  │ incr_db_prop)              │
75                              ├──┼────────────────────────────┤
76                              │s │ [Dis]allows  the  explicit │
77                              │  │ setting  of  the key for a │
78                              │  │ principal                  │
79                              ├──┼────────────────────────────┤
80                              │x │ Short  for  admcilsp.  All │
81                              │  │ privileges (except e)      │
82                              ├──┼────────────────────────────┤
83                              │* │ Same as x.                 │
84                              └──┴────────────────────────────┘
85
86       NOTE:
87          The  extract privilege is not included in the wildcard privilege; it
88          must be explicitly assigned.  This  privilege  allows  the  user  to
89          extract  keys from the database, and must be handled with great care
90          to avoid disclosure of important keys like those of the kadmin/*  or
91          krbtgt/*  principals.   The lockdown_keys principal attribute can be
92          used to prevent key extraction from specific  principals  regardless
93          of the granted privilege.
94
95       target_principal
96              (Optional.  Partially  or  fully  qualified  Kerberos  principal
97              name.)  Specifies the principal  on  which  permissions  may  be
98              applied.  Each component of the name may be wildcarded using the
99              * character.
100
101              target_principal can also include back-references to  principal,
102              in  which  *number matches the corresponding wildcard in princi‐
103              pal.
104
105       restrictions
106              (Optional) A string of flags. Allowed restrictions are:
107
108                 {+|-}flagname
109                        flag is forced to the indicated value.  The  permissi‐
110                        ble  flags are the same as those for the default_prin‐
111                        cipal_flags variable in kdc.conf(5).
112
113                 -clearpolicy
114                        policy is forced to be empty.
115
116                 -policy pol
117                        policy is forced to be pol.
118
119                 -{expire, pwexpire, maxlife, maxrenewlife} time
120                        (getdate string) associated value will  be  forced  to
121                        MIN(time, requested value).
122
123              The  above flags act as restrictions on any add or modify opera‐
124              tion which is allowed due to that ACL line.
125
126       WARNING:
127          If the kadmind ACL file is modified, the kadmind daemon needs to  be
128          restarted for changes to take effect.
129

EXAMPLE

131       Here is an example of a kadm5.acl file:
132
133          */admin@ATHENA.MIT.EDU    *                               # line 1
134          joeadmin@ATHENA.MIT.EDU   ADMCIL                          # line 2
135          joeadmin/*@ATHENA.MIT.EDU i   */root@ATHENA.MIT.EDU       # line 3
136          */root@ATHENA.MIT.EDU     ci  *1@ATHENA.MIT.EDU           # line 4
137          */root@ATHENA.MIT.EDU     l   *                           # line 5
138          sms@ATHENA.MIT.EDU        x   * -maxlife 9h -postdateable # line 6
139
140       (line  1)  Any  principal  in  the  ATHENA.MIT.EDU  realm with an admin
141       instance has all administrative privileges except extracting keys.
142
143       (lines 1-3) The user joeadmin has  all  permissions  except  extracting
144       keys  with  his  admin instance, joeadmin/admin@ATHENA.MIT.EDU (matches
145       line 1).  He has no permissions at all with his null  instance,  joead‐
146       min@ATHENA.MIT.EDU  (matches  line  2).   His root and other non-admin,
147       non-null instances (e.g., extra or dbadmin)  have  inquire  permissions
148       with any principal that has the instance root (matches line 3).
149
150       (line 4) Any root principal in ATHENA.MIT.EDU can inquire or change the
151       password of their null instance,  but  not  any  other  null  instance.
152       (Here,  *1 denotes a back-reference to the component matching the first
153       wildcard in the actor principal.)
154
155       (line 5) Any root principal in ATHENA.MIT.EDU can generate the list  of
156       principals  in  the database, and the list of policies in the database.
157       This line is separate from line 4, because list permission can only  be
158       granted globally, not to specific target principals.
159
160       (line   6)   Finally,   the   Service   Management   System   principal
161       sms@ATHENA.MIT.EDU has all permissions except extracting keys, but  any
162       principal that it creates or modifies will not be able to get postdate‐
163       able tickets or tickets with a life of longer than 9 hours.
164

MODULE BEHAVIOR

166       The ACL file can coexist with other authorization  modules  in  release
167       1.16   and   later,   as   configured  in  the  kadm5_auth  section  of
168       krb5.conf(5).   The  ACL  file  will  positively  authorize  operations
169       according  to  the  rules above, but will never authoritatively deny an
170       operation, so other modules can authorize  operations  in  addition  to
171       those authorized by the ACL file.
172
173       To   operate  without  an  ACL  file,  set  the  acl_file  variable  in
174       kdc.conf(5) to the empty string with acl_file = "".
175

SEE ALSO

177       kdc.conf(5), kadmind(8)
178

AUTHOR

180       MIT
181
183       1985-2019, MIT
184
185
186
187
1881.17                                                              KADM5.ACL(5)
Impressum