1KADM5.ACL(5) MIT Kerberos KADM5.ACL(5)
2
6 kadm5.acl - Kerberos ACL file
7
9 The Kerberos kadmind(8) daemon uses an Access Control List (ACL) file
10 to manage access rights to the Kerberos database. For operations that
11 affect principals, the ACL file also controls which principals can op‐
12 erate on which other principals.
13 The default location of the Kerberos ACL file is /var/ker‐
15 beros/krb5kdc/kadm5.acl unless this is overridden by the acl_file
16 variable in kdc.conf(5).
17
19 Empty lines and lines starting with the sharp sign (#) are ignored.
20 Lines containing ACL entries have the format:
21 principal permissions [target_principal [restrictions] ]
23 NOTE:
25 Line order in the ACL file is important. The first matching entry
26 will control access for an actor principal on a target principal.
27 principal
29 (Partially or fully qualified Kerberos principal name.) Speci‐
30 fies the principal whose permissions are to be set.
31 Each component of the name may be wildcarded using the * charac‐
33 ter.
34 permissions
36 Specifies what operations may or may not be performed by a prin‐
37 cipal matching a particular entry. This is a string of one or
38 more of the following list of characters or their upper-case
39 counterparts. If the character is upper-case, then the opera‐
40 tion is disallowed. If the character is lower-case, then the
41 operation is permitted.
42 ┌──┬────────────────────────────┐
44 │a │ [Dis]allows the addition │
45 │ │ of principals or policies │
46 ├──┼────────────────────────────┤
47 │c │ [Dis]allows the changing │
48 │ │ of passwords for princi‐ │
49 │ │ pals │
50 ├──┼────────────────────────────┤
51 │d │ [Dis]allows the deletion │
52 │ │ of principals or policies │
53 ├──┼────────────────────────────┤
54 │e │ [Dis]allows the extraction │
55 │ │ of principal keys │
56 ├──┼────────────────────────────┤
57 │i │ [Dis]allows inquiries │
58 │ │ about principals or poli‐ │
59 │ │ cies │
60 ├──┼────────────────────────────┤
61 │l │ [Dis]allows the listing of │
62 │ │ all principals or policies │
63 └──┴────────────────────────────┘
64 │m │ [Dis]allows the modifica‐ │
68 │ │ tion of principals or │
69 │ │ policies │
70 ├──┼────────────────────────────┤
71 │p │ [Dis]allows the propaga‐ │
72 │ │ tion of the principal │
73 │ │ database (used in │
74 │ │ incr_db_prop) │
75 ├──┼────────────────────────────┤
76 │s │ [Dis]allows the explicit │
77 │ │ setting of the key for a │
78 │ │ principal │
79 ├──┼────────────────────────────┤
80 │x │ Short for admcilsp. All │
81 │ │ privileges (except e) │
82 ├──┼────────────────────────────┤
83 │* │ Same as x. │
84 └──┴────────────────────────────┘
85 NOTE:
87 The extract privilege is not included in the wildcard privilege; it
88 must be explicitly assigned. This privilege allows the user to ex‐
89 tract keys from the database, and must be handled with great care to
90 avoid disclosure of important keys like those of the kadmin/* or
91 krbtgt/* principals. The lockdown_keys principal attribute can be
92 used to prevent key extraction from specific principals regardless
93 of the granted privilege.
94 target_principal
96 (Optional. Partially or fully qualified Kerberos principal
97 name.) Specifies the principal on which permissions may be ap‐
98 plied. Each component of the name may be wildcarded using the *
99 character.
100 target_principal can also include back-references to principal,
102 in which *number matches the corresponding wildcard in princi‐
103 pal.
104 restrictions
106 (Optional) A string of flags. Allowed restrictions are:
107 {+|-}flagname
109 flag is forced to the indicated value. The permissi‐
110 ble flags are the same as those for the default_prin‐
111 cipal_flags variable in kdc.conf(5).
112 -clearpolicy
114 policy is forced to be empty.
115 -policy pol
117 policy is forced to be pol.
118 -{expire, pwexpire, maxlife, maxrenewlife} time
120 (getdate string) associated value will be forced to
121 MIN(time, requested value).
122 The above flags act as restrictions on any add or modify opera‐
124 tion which is allowed due to that ACL line.
125 WARNING:
127 If the kadmind ACL file is modified, the kadmind daemon needs to be
128 restarted for changes to take effect.
129
131 Here is an example of a kadm5.acl file:
132 */admin@ATHENA.MIT.EDU * # line 1
134 joeadmin@ATHENA.MIT.EDU ADMCIL # line 2
135 joeadmin/*@ATHENA.MIT.EDU i */root@ATHENA.MIT.EDU # line 3
136 */root@ATHENA.MIT.EDU ci *1@ATHENA.MIT.EDU # line 4
137 */root@ATHENA.MIT.EDU l * # line 5
138 sms@ATHENA.MIT.EDU x * -maxlife 9h -postdateable # line 6
139 (line 1) Any principal in the ATHENA.MIT.EDU realm with an admin in‐
141 stance has all administrative privileges except extracting keys.
142 (lines 1-3) The user joeadmin has all permissions except extracting
144 keys with his admin instance, joeadmin/admin@ATHENA.MIT.EDU (matches
145 line 1). He has no permissions at all with his null instance, joead‐
146 min@ATHENA.MIT.EDU (matches line 2). His root and other non-admin,
147 non-null instances (e.g., extra or dbadmin) have inquire permissions
148 with any principal that has the instance root (matches line 3).
149 (line 4) Any root principal in ATHENA.MIT.EDU can inquire or change the
151 password of their null instance, but not any other null instance.
152 (Here, *1 denotes a back-reference to the component matching the first
153 wildcard in the actor principal.)
154 (line 5) Any root principal in ATHENA.MIT.EDU can generate the list of
156 principals in the database, and the list of policies in the database.
157 This line is separate from line 4, because list permission can only be
158 granted globally, not to specific target principals.
159 (line 6) Finally, the Service Management System principal
161 sms@ATHENA.MIT.EDU has all permissions except extracting keys, but any
162 principal that it creates or modifies will not be able to get postdate‐
163 able tickets or tickets with a life of longer than 9 hours.
164
166 The ACL file can coexist with other authorization modules in release
167 1.16 and later, as configured in the kadm5_auth section of
168 krb5.conf(5). The ACL file will positively authorize operations ac‐
169 cording to the rules above, but will never authoritatively deny an op‐
170 eration, so other modules can authorize operations in addition to those
171 authorized by the ACL file.
172 To operate without an ACL file, set the acl_file variable in
174 kdc.conf(5) to the empty string with acl_file = "".
175
177 kdc.conf(5), kadmind(8)
178
180 MIT
181
183 1985-2021, MIT
1841.19.2 KADM5.ACL(5)