Mercurial > repos > rliterman > csp2

annotate CSP2/CSP2_env/env-d9b9114564458d9d-741b3de822f2aaca6c6caa4325c4afce/share/man/man5/kadm5.acl.5 @ 68:5028fdace37b

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
planemo upload commit 2e9511a184a1ca667c7be0c6321a36dc4e3d116d
author jpayne
date Tue, 18 Mar 2025 16:23:26 -0400
parents
children
rev   line source
jpayne@68 1 .\" Man page generated from reStructuredText.
jpayne@68 2 .
jpayne@68 3 .TH "KADM5.ACL" "5" " " "1.20.1" "MIT Kerberos"
jpayne@68 4 .SH NAME
jpayne@68 5 kadm5.acl \- Kerberos ACL file
jpayne@68 6 .
jpayne@68 7 .nr rst2man-indent-level 0
jpayne@68 8 .
jpayne@68 9 .de1 rstReportMargin
jpayne@68 10 \\$1 \\n[an-margin]
jpayne@68 11 level \\n[rst2man-indent-level]
jpayne@68 12 level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
jpayne@68 13 -
jpayne@68 14 \\n[rst2man-indent0]
jpayne@68 15 \\n[rst2man-indent1]
jpayne@68 16 \\n[rst2man-indent2]
jpayne@68 17 ..
jpayne@68 18 .de1 INDENT
jpayne@68 19 .\" .rstReportMargin pre:
jpayne@68 20 . RS \\$1
jpayne@68 21 . nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
jpayne@68 22 . nr rst2man-indent-level +1
jpayne@68 23 .\" .rstReportMargin post:
jpayne@68 24 ..
jpayne@68 25 .de UNINDENT
jpayne@68 26 . RE
jpayne@68 27 .\" indent \\n[an-margin]
jpayne@68 28 .\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
jpayne@68 29 .nr rst2man-indent-level -1
jpayne@68 30 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
jpayne@68 31 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
jpayne@68 32 ..
jpayne@68 33 .SH DESCRIPTION
jpayne@68 34 .sp
jpayne@68 35 The Kerberos kadmind(8) daemon uses an Access Control List
jpayne@68 36 (ACL) file to manage access rights to the Kerberos database.
jpayne@68 37 For operations that affect principals, the ACL file also controls
jpayne@68 38 which principals can operate on which other principals.
jpayne@68 39 .sp
jpayne@68 40 The default location of the Kerberos ACL file is
jpayne@68 41 \fB/mnt/c/Users/crash/Documents/BobLiterman/CSP2_Galaxy/CSP2/CSP2_env/env-d9b9114564458d9d-741b3de822f2aaca6c6caa4325c4afce/var\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP unless this is overridden by the \fIacl_file\fP
jpayne@68 42 variable in kdc.conf(5)\&.
jpayne@68 43 .SH SYNTAX
jpayne@68 44 .sp
jpayne@68 45 Empty lines and lines starting with the sharp sign (\fB#\fP) are
jpayne@68 46 ignored. Lines containing ACL entries have the format:
jpayne@68 47 .INDENT 0.0
jpayne@68 48 .INDENT 3.5
jpayne@68 49 .sp
jpayne@68 50 .nf
jpayne@68 51 .ft C
jpayne@68 52 principal permissions [target_principal [restrictions] ]
jpayne@68 53 .ft P
jpayne@68 54 .fi
jpayne@68 55 .UNINDENT
jpayne@68 56 .UNINDENT
jpayne@68 57 .sp
jpayne@68 58 \fBNOTE:\fP
jpayne@68 59 .INDENT 0.0
jpayne@68 60 .INDENT 3.5
jpayne@68 61 Line order in the ACL file is important. The first matching entry
jpayne@68 62 will control access for an actor principal on a target principal.
jpayne@68 63 .UNINDENT
jpayne@68 64 .UNINDENT
jpayne@68 65 .INDENT 0.0
jpayne@68 66 .TP
jpayne@68 67 .B \fIprincipal\fP
jpayne@68 68 (Partially or fully qualified Kerberos principal name.) Specifies
jpayne@68 69 the principal whose permissions are to be set.
jpayne@68 70 .sp
jpayne@68 71 Each component of the name may be wildcarded using the \fB*\fP
jpayne@68 72 character.
jpayne@68 73 .TP
jpayne@68 74 .B \fIpermissions\fP
jpayne@68 75 Specifies what operations may or may not be performed by a
jpayne@68 76 \fIprincipal\fP matching a particular entry. This is a string of one or
jpayne@68 77 more of the following list of characters or their upper\-case
jpayne@68 78 counterparts. If the character is \fIupper\-case\fP, then the operation
jpayne@68 79 is disallowed. If the character is \fIlower\-case\fP, then the operation
jpayne@68 80 is permitted.
jpayne@68 81 .TS
jpayne@68 82 center;
jpayne@68 83 |l|l|.
jpayne@68 84 _
jpayne@68 85 T{
jpayne@68 86 a
jpayne@68 87 T} T{
jpayne@68 88 [Dis]allows the addition of principals or policies
jpayne@68 89 T}
jpayne@68 90 _
jpayne@68 91 T{
jpayne@68 92 c
jpayne@68 93 T} T{
jpayne@68 94 [Dis]allows the changing of passwords for principals
jpayne@68 95 T}
jpayne@68 96 _
jpayne@68 97 T{
jpayne@68 98 d
jpayne@68 99 T} T{
jpayne@68 100 [Dis]allows the deletion of principals or policies
jpayne@68 101 T}
jpayne@68 102 _
jpayne@68 103 T{
jpayne@68 104 e
jpayne@68 105 T} T{
jpayne@68 106 [Dis]allows the extraction of principal keys
jpayne@68 107 T}
jpayne@68 108 _
jpayne@68 109 T{
jpayne@68 110 i
jpayne@68 111 T} T{
jpayne@68 112 [Dis]allows inquiries about principals or policies
jpayne@68 113 T}
jpayne@68 114 _
jpayne@68 115 T{
jpayne@68 116 l
jpayne@68 117 T} T{
jpayne@68 118 [Dis]allows the listing of all principals or policies
jpayne@68 119 T}
jpayne@68 120 _
jpayne@68 121 T{
jpayne@68 122 m
jpayne@68 123 T} T{
jpayne@68 124 [Dis]allows the modification of principals or policies
jpayne@68 125 T}
jpayne@68 126 _
jpayne@68 127 T{
jpayne@68 128 p
jpayne@68 129 T} T{
jpayne@68 130 [Dis]allows the propagation of the principal database (used in incr_db_prop)
jpayne@68 131 T}
jpayne@68 132 _
jpayne@68 133 T{
jpayne@68 134 s
jpayne@68 135 T} T{
jpayne@68 136 [Dis]allows the explicit setting of the key for a principal
jpayne@68 137 T}
jpayne@68 138 _
jpayne@68 139 T{
jpayne@68 140 x
jpayne@68 141 T} T{
jpayne@68 142 Short for admcilsp. All privileges (except \fBe\fP)
jpayne@68 143 T}
jpayne@68 144 _
jpayne@68 145 T{
jpayne@68 146 *
jpayne@68 147 T} T{
jpayne@68 148 Same as x.
jpayne@68 149 T}
jpayne@68 150 _
jpayne@68 151 .TE
jpayne@68 152 .UNINDENT
jpayne@68 153 .sp
jpayne@68 154 \fBNOTE:\fP
jpayne@68 155 .INDENT 0.0
jpayne@68 156 .INDENT 3.5
jpayne@68 157 The \fBextract\fP privilege is not included in the wildcard
jpayne@68 158 privilege; it must be explicitly assigned. This privilege
jpayne@68 159 allows the user to extract keys from the database, and must be
jpayne@68 160 handled with great care to avoid disclosure of important keys
jpayne@68 161 like those of the kadmin/* or krbtgt/* principals. The
jpayne@68 162 \fBlockdown_keys\fP principal attribute can be used to prevent
jpayne@68 163 key extraction from specific principals regardless of the
jpayne@68 164 granted privilege.
jpayne@68 165 .UNINDENT
jpayne@68 166 .UNINDENT
jpayne@68 167 .INDENT 0.0
jpayne@68 168 .TP
jpayne@68 169 .B \fItarget_principal\fP
jpayne@68 170 (Optional. Partially or fully qualified Kerberos principal name.)
jpayne@68 171 Specifies the principal on which \fIpermissions\fP may be applied.
jpayne@68 172 Each component of the name may be wildcarded using the \fB*\fP
jpayne@68 173 character.
jpayne@68 174 .sp
jpayne@68 175 \fItarget_principal\fP can also include back\-references to \fIprincipal\fP,
jpayne@68 176 in which \fB*number\fP matches the corresponding wildcard in
jpayne@68 177 \fIprincipal\fP\&.
jpayne@68 178 .TP
jpayne@68 179 .B \fIrestrictions\fP
jpayne@68 180 (Optional) A string of flags. Allowed restrictions are:
jpayne@68 181 .INDENT 7.0
jpayne@68 182 .INDENT 3.5
jpayne@68 183 .INDENT 0.0
jpayne@68 184 .TP
jpayne@68 185 .B {+|\-}\fIflagname\fP
jpayne@68 186 flag is forced to the indicated value. The permissible flags
jpayne@68 187 are the same as those for the \fBdefault_principal_flags\fP
jpayne@68 188 variable in kdc.conf(5)\&.
jpayne@68 189 .TP
jpayne@68 190 .B \fI\-clearpolicy\fP
jpayne@68 191 policy is forced to be empty.
jpayne@68 192 .TP
jpayne@68 193 .B \fI\-policy pol\fP
jpayne@68 194 policy is forced to be \fIpol\fP\&.
jpayne@68 195 .TP
jpayne@68 196 .B \-{\fIexpire, pwexpire, maxlife, maxrenewlife\fP} \fItime\fP
jpayne@68 197 (getdate string) associated value will be forced to
jpayne@68 198 MIN(\fItime\fP, requested value).
jpayne@68 199 .UNINDENT
jpayne@68 200 .UNINDENT
jpayne@68 201 .UNINDENT
jpayne@68 202 .sp
jpayne@68 203 The above flags act as restrictions on any add or modify operation
jpayne@68 204 which is allowed due to that ACL line.
jpayne@68 205 .UNINDENT
jpayne@68 206 .sp
jpayne@68 207 \fBWARNING:\fP
jpayne@68 208 .INDENT 0.0
jpayne@68 209 .INDENT 3.5
jpayne@68 210 If the kadmind ACL file is modified, the kadmind daemon needs to be
jpayne@68 211 restarted for changes to take effect.
jpayne@68 212 .UNINDENT
jpayne@68 213 .UNINDENT
jpayne@68 214 .SH EXAMPLE
jpayne@68 215 .sp
jpayne@68 216 Here is an example of a kadm5.acl file:
jpayne@68 217 .INDENT 0.0
jpayne@68 218 .INDENT 3.5
jpayne@68 219 .sp
jpayne@68 220 .nf
jpayne@68 221 .ft C
jpayne@68 222 */admin@ATHENA.MIT.EDU * # line 1
jpayne@68 223 joeadmin@ATHENA.MIT.EDU ADMCIL # line 2
jpayne@68 224 joeadmin/*@ATHENA.MIT.EDU i */root@ATHENA.MIT.EDU # line 3
jpayne@68 225 */root@ATHENA.MIT.EDU ci *1@ATHENA.MIT.EDU # line 4
jpayne@68 226 */root@ATHENA.MIT.EDU l * # line 5
jpayne@68 227 sms@ATHENA.MIT.EDU x * \-maxlife 9h \-postdateable # line 6
jpayne@68 228 .ft P
jpayne@68 229 .fi
jpayne@68 230 .UNINDENT
jpayne@68 231 .UNINDENT
jpayne@68 232 .sp
jpayne@68 233 (line 1) Any principal in the \fBATHENA.MIT.EDU\fP realm with an
jpayne@68 234 \fBadmin\fP instance has all administrative privileges except extracting
jpayne@68 235 keys.
jpayne@68 236 .sp
jpayne@68 237 (lines 1\-3) The user \fBjoeadmin\fP has all permissions except
jpayne@68 238 extracting keys with his \fBadmin\fP instance,
jpayne@68 239 \fBjoeadmin/admin@ATHENA.MIT.EDU\fP (matches line 1). He has no
jpayne@68 240 permissions at all with his null instance, \fBjoeadmin@ATHENA.MIT.EDU\fP
jpayne@68 241 (matches line 2). His \fBroot\fP and other non\-\fBadmin\fP, non\-null
jpayne@68 242 instances (e.g., \fBextra\fP or \fBdbadmin\fP) have inquire permissions
jpayne@68 243 with any principal that has the instance \fBroot\fP (matches line 3).
jpayne@68 244 .sp
jpayne@68 245 (line 4) Any \fBroot\fP principal in \fBATHENA.MIT.EDU\fP can inquire
jpayne@68 246 or change the password of their null instance, but not any other
jpayne@68 247 null instance. (Here, \fB*1\fP denotes a back\-reference to the
jpayne@68 248 component matching the first wildcard in the actor principal.)
jpayne@68 249 .sp
jpayne@68 250 (line 5) Any \fBroot\fP principal in \fBATHENA.MIT.EDU\fP can generate
jpayne@68 251 the list of principals in the database, and the list of policies
jpayne@68 252 in the database. This line is separate from line 4, because list
jpayne@68 253 permission can only be granted globally, not to specific target
jpayne@68 254 principals.
jpayne@68 255 .sp
jpayne@68 256 (line 6) Finally, the Service Management System principal
jpayne@68 257 \fBsms@ATHENA.MIT.EDU\fP has all permissions except extracting keys, but
jpayne@68 258 any principal that it creates or modifies will not be able to get
jpayne@68 259 postdateable tickets or tickets with a life of longer than 9 hours.
jpayne@68 260 .SH MODULE BEHAVIOR
jpayne@68 261 .sp
jpayne@68 262 The ACL file can coexist with other authorization modules in release
jpayne@68 263 1.16 and later, as configured in the kadm5_auth section of
jpayne@68 264 krb5.conf(5)\&. The ACL file will positively authorize
jpayne@68 265 operations according to the rules above, but will never
jpayne@68 266 authoritatively deny an operation, so other modules can authorize
jpayne@68 267 operations in addition to those authorized by the ACL file.
jpayne@68 268 .sp
jpayne@68 269 To operate without an ACL file, set the \fIacl_file\fP variable in
jpayne@68 270 kdc.conf(5) to the empty string with \fBacl_file = ""\fP\&.
jpayne@68 271 .SH SEE ALSO
jpayne@68 272 .sp
jpayne@68 273 kdc.conf(5), kadmind(8)
jpayne@68 274 .SH AUTHOR
jpayne@68 275 MIT
jpayne@68 276 .SH COPYRIGHT
jpayne@68 277 1985-2022, MIT
jpayne@68 278 .\" Generated by docutils manpage writer.
jpayne@68 279 .