Mercurial > repos > rliterman > csp2

comparison CSP2/CSP2_env/env-d9b9114564458d9d-741b3de822f2aaca6c6caa4325c4afce/share/man/man5/kadm5.acl.5 @ 68:5028fdace37b

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
planemo upload commit 2e9511a184a1ca667c7be0c6321a36dc4e3d116d
author jpayne
date Tue, 18 Mar 2025 16:23:26 -0400
parents
children
comparison
equal deleted inserted replaced
67:0e9998148a16 68:5028fdace37b
1 .\" Man page generated from reStructuredText.
2 .
3 .TH "KADM5.ACL" "5" " " "1.20.1" "MIT Kerberos"
4 .SH NAME
5 kadm5.acl \- Kerberos ACL file
6 .
7 .nr rst2man-indent-level 0
8 .
9 .de1 rstReportMargin
10 \\$1 \\n[an-margin]
11 level \\n[rst2man-indent-level]
12 level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
13 -
14 \\n[rst2man-indent0]
15 \\n[rst2man-indent1]
16 \\n[rst2man-indent2]
17 ..
18 .de1 INDENT
19 .\" .rstReportMargin pre:
20 . RS \\$1
21 . nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
22 . nr rst2man-indent-level +1
23 .\" .rstReportMargin post:
24 ..
25 .de UNINDENT
26 . RE
27 .\" indent \\n[an-margin]
28 .\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
29 .nr rst2man-indent-level -1
30 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
31 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
32 ..
33 .SH DESCRIPTION
34 .sp
35 The Kerberos kadmind(8) daemon uses an Access Control List
36 (ACL) file to manage access rights to the Kerberos database.
37 For operations that affect principals, the ACL file also controls
38 which principals can operate on which other principals.
39 .sp
40 The default location of the Kerberos ACL file is
41 \fB/mnt/c/Users/crash/Documents/BobLiterman/CSP2_Galaxy/CSP2/CSP2_env/env-d9b9114564458d9d-741b3de822f2aaca6c6caa4325c4afce/var\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP unless this is overridden by the \fIacl_file\fP
42 variable in kdc.conf(5)\&.
43 .SH SYNTAX
44 .sp
45 Empty lines and lines starting with the sharp sign (\fB#\fP) are
46 ignored. Lines containing ACL entries have the format:
47 .INDENT 0.0
48 .INDENT 3.5
49 .sp
50 .nf
51 .ft C
52 principal permissions [target_principal [restrictions] ]
53 .ft P
54 .fi
55 .UNINDENT
56 .UNINDENT
57 .sp
58 \fBNOTE:\fP
59 .INDENT 0.0
60 .INDENT 3.5
61 Line order in the ACL file is important. The first matching entry
62 will control access for an actor principal on a target principal.
63 .UNINDENT
64 .UNINDENT
65 .INDENT 0.0
66 .TP
67 .B \fIprincipal\fP
68 (Partially or fully qualified Kerberos principal name.) Specifies
69 the principal whose permissions are to be set.
70 .sp
71 Each component of the name may be wildcarded using the \fB*\fP
72 character.
73 .TP
74 .B \fIpermissions\fP
75 Specifies what operations may or may not be performed by a
76 \fIprincipal\fP matching a particular entry. This is a string of one or
77 more of the following list of characters or their upper\-case
78 counterparts. If the character is \fIupper\-case\fP, then the operation
79 is disallowed. If the character is \fIlower\-case\fP, then the operation
80 is permitted.
81 .TS
82 center;
83 |l|l|.
84 _
85 T{
86 a
87 T} T{
88 [Dis]allows the addition of principals or policies
89 T}
90 _
91 T{
92 c
93 T} T{
94 [Dis]allows the changing of passwords for principals
95 T}
96 _
97 T{
98 d
99 T} T{
100 [Dis]allows the deletion of principals or policies
101 T}
102 _
103 T{
104 e
105 T} T{
106 [Dis]allows the extraction of principal keys
107 T}
108 _
109 T{
110 i
111 T} T{
112 [Dis]allows inquiries about principals or policies
113 T}
114 _
115 T{
116 l
117 T} T{
118 [Dis]allows the listing of all principals or policies
119 T}
120 _
121 T{
122 m
123 T} T{
124 [Dis]allows the modification of principals or policies
125 T}
126 _
127 T{
128 p
129 T} T{
130 [Dis]allows the propagation of the principal database (used in incr_db_prop)
131 T}
132 _
133 T{
134 s
135 T} T{
136 [Dis]allows the explicit setting of the key for a principal
137 T}
138 _
139 T{
140 x
141 T} T{
142 Short for admcilsp. All privileges (except \fBe\fP)
143 T}
144 _
145 T{
146 *
147 T} T{
148 Same as x.
149 T}
150 _
151 .TE
152 .UNINDENT
153 .sp
154 \fBNOTE:\fP
155 .INDENT 0.0
156 .INDENT 3.5
157 The \fBextract\fP privilege is not included in the wildcard
158 privilege; it must be explicitly assigned. This privilege
159 allows the user to extract keys from the database, and must be
160 handled with great care to avoid disclosure of important keys
161 like those of the kadmin/* or krbtgt/* principals. The
162 \fBlockdown_keys\fP principal attribute can be used to prevent
163 key extraction from specific principals regardless of the
164 granted privilege.
165 .UNINDENT
166 .UNINDENT
167 .INDENT 0.0
168 .TP
169 .B \fItarget_principal\fP
170 (Optional. Partially or fully qualified Kerberos principal name.)
171 Specifies the principal on which \fIpermissions\fP may be applied.
172 Each component of the name may be wildcarded using the \fB*\fP
173 character.
174 .sp
175 \fItarget_principal\fP can also include back\-references to \fIprincipal\fP,
176 in which \fB*number\fP matches the corresponding wildcard in
177 \fIprincipal\fP\&.
178 .TP
179 .B \fIrestrictions\fP
180 (Optional) A string of flags. Allowed restrictions are:
181 .INDENT 7.0
182 .INDENT 3.5
183 .INDENT 0.0
184 .TP
185 .B {+|\-}\fIflagname\fP
186 flag is forced to the indicated value. The permissible flags
187 are the same as those for the \fBdefault_principal_flags\fP
188 variable in kdc.conf(5)\&.
189 .TP
190 .B \fI\-clearpolicy\fP
191 policy is forced to be empty.
192 .TP
193 .B \fI\-policy pol\fP
194 policy is forced to be \fIpol\fP\&.
195 .TP
196 .B \-{\fIexpire, pwexpire, maxlife, maxrenewlife\fP} \fItime\fP
197 (getdate string) associated value will be forced to
198 MIN(\fItime\fP, requested value).
199 .UNINDENT
200 .UNINDENT
201 .UNINDENT
202 .sp
203 The above flags act as restrictions on any add or modify operation
204 which is allowed due to that ACL line.
205 .UNINDENT
206 .sp
207 \fBWARNING:\fP
208 .INDENT 0.0
209 .INDENT 3.5
210 If the kadmind ACL file is modified, the kadmind daemon needs to be
211 restarted for changes to take effect.
212 .UNINDENT
213 .UNINDENT
214 .SH EXAMPLE
215 .sp
216 Here is an example of a kadm5.acl file:
217 .INDENT 0.0
218 .INDENT 3.5
219 .sp
220 .nf
221 .ft C
222 */admin@ATHENA.MIT.EDU * # line 1
223 joeadmin@ATHENA.MIT.EDU ADMCIL # line 2
224 joeadmin/*@ATHENA.MIT.EDU i */root@ATHENA.MIT.EDU # line 3
225 */root@ATHENA.MIT.EDU ci *1@ATHENA.MIT.EDU # line 4
226 */root@ATHENA.MIT.EDU l * # line 5
227 sms@ATHENA.MIT.EDU x * \-maxlife 9h \-postdateable # line 6
228 .ft P
229 .fi
230 .UNINDENT
231 .UNINDENT
232 .sp
233 (line 1) Any principal in the \fBATHENA.MIT.EDU\fP realm with an
234 \fBadmin\fP instance has all administrative privileges except extracting
235 keys.
236 .sp
237 (lines 1\-3) The user \fBjoeadmin\fP has all permissions except
238 extracting keys with his \fBadmin\fP instance,
239 \fBjoeadmin/admin@ATHENA.MIT.EDU\fP (matches line 1). He has no
240 permissions at all with his null instance, \fBjoeadmin@ATHENA.MIT.EDU\fP
241 (matches line 2). His \fBroot\fP and other non\-\fBadmin\fP, non\-null
242 instances (e.g., \fBextra\fP or \fBdbadmin\fP) have inquire permissions
243 with any principal that has the instance \fBroot\fP (matches line 3).
244 .sp
245 (line 4) Any \fBroot\fP principal in \fBATHENA.MIT.EDU\fP can inquire
246 or change the password of their null instance, but not any other
247 null instance. (Here, \fB*1\fP denotes a back\-reference to the
248 component matching the first wildcard in the actor principal.)
249 .sp
250 (line 5) Any \fBroot\fP principal in \fBATHENA.MIT.EDU\fP can generate
251 the list of principals in the database, and the list of policies
252 in the database. This line is separate from line 4, because list
253 permission can only be granted globally, not to specific target
254 principals.
255 .sp
256 (line 6) Finally, the Service Management System principal
257 \fBsms@ATHENA.MIT.EDU\fP has all permissions except extracting keys, but
258 any principal that it creates or modifies will not be able to get
259 postdateable tickets or tickets with a life of longer than 9 hours.
260 .SH MODULE BEHAVIOR
261 .sp
262 The ACL file can coexist with other authorization modules in release
263 1.16 and later, as configured in the kadm5_auth section of
264 krb5.conf(5)\&. The ACL file will positively authorize
265 operations according to the rules above, but will never
266 authoritatively deny an operation, so other modules can authorize
267 operations in addition to those authorized by the ACL file.
268 .sp
269 To operate without an ACL file, set the \fIacl_file\fP variable in
270 kdc.conf(5) to the empty string with \fBacl_file = ""\fP\&.
271 .SH SEE ALSO
272 .sp
273 kdc.conf(5), kadmind(8)
274 .SH AUTHOR
275 MIT
276 .SH COPYRIGHT
277 1985-2022, MIT
278 .\" Generated by docutils manpage writer.
279 .