jpayne@68: .\" Man page generated from reStructuredText. jpayne@68: . jpayne@68: .TH "KADM5.ACL" "5" " " "1.20.1" "MIT Kerberos" jpayne@68: .SH NAME jpayne@68: kadm5.acl \- Kerberos ACL file jpayne@68: . jpayne@68: .nr rst2man-indent-level 0 jpayne@68: . jpayne@68: .de1 rstReportMargin jpayne@68: \\$1 \\n[an-margin] jpayne@68: level \\n[rst2man-indent-level] jpayne@68: level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] jpayne@68: - jpayne@68: \\n[rst2man-indent0] jpayne@68: \\n[rst2man-indent1] jpayne@68: \\n[rst2man-indent2] jpayne@68: .. jpayne@68: .de1 INDENT jpayne@68: .\" .rstReportMargin pre: jpayne@68: . RS \\$1 jpayne@68: . nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] jpayne@68: . nr rst2man-indent-level +1 jpayne@68: .\" .rstReportMargin post: jpayne@68: .. jpayne@68: .de UNINDENT jpayne@68: . RE jpayne@68: .\" indent \\n[an-margin] jpayne@68: .\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] jpayne@68: .nr rst2man-indent-level -1 jpayne@68: .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] jpayne@68: .in \\n[rst2man-indent\\n[rst2man-indent-level]]u jpayne@68: .. jpayne@68: .SH DESCRIPTION jpayne@68: .sp jpayne@68: The Kerberos kadmind(8) daemon uses an Access Control List jpayne@68: (ACL) file to manage access rights to the Kerberos database. jpayne@68: For operations that affect principals, the ACL file also controls jpayne@68: which principals can operate on which other principals. jpayne@68: .sp jpayne@68: The default location of the Kerberos ACL file is jpayne@68: \fB/mnt/c/Users/crash/Documents/BobLiterman/CSP2_Galaxy/CSP2/CSP2_env/env-d9b9114564458d9d-741b3de822f2aaca6c6caa4325c4afce/var\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP unless this is overridden by the \fIacl_file\fP jpayne@68: variable in kdc.conf(5)\&. jpayne@68: .SH SYNTAX jpayne@68: .sp jpayne@68: Empty lines and lines starting with the sharp sign (\fB#\fP) are jpayne@68: ignored. Lines containing ACL entries have the format: jpayne@68: .INDENT 0.0 jpayne@68: .INDENT 3.5 jpayne@68: .sp jpayne@68: .nf jpayne@68: .ft C jpayne@68: principal permissions [target_principal [restrictions] ] jpayne@68: .ft P jpayne@68: .fi jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: \fBNOTE:\fP jpayne@68: .INDENT 0.0 jpayne@68: .INDENT 3.5 jpayne@68: Line order in the ACL file is important. The first matching entry jpayne@68: will control access for an actor principal on a target principal. jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .INDENT 0.0 jpayne@68: .TP jpayne@68: .B \fIprincipal\fP jpayne@68: (Partially or fully qualified Kerberos principal name.) Specifies jpayne@68: the principal whose permissions are to be set. jpayne@68: .sp jpayne@68: Each component of the name may be wildcarded using the \fB*\fP jpayne@68: character. jpayne@68: .TP jpayne@68: .B \fIpermissions\fP jpayne@68: Specifies what operations may or may not be performed by a jpayne@68: \fIprincipal\fP matching a particular entry. This is a string of one or jpayne@68: more of the following list of characters or their upper\-case jpayne@68: counterparts. If the character is \fIupper\-case\fP, then the operation jpayne@68: is disallowed. If the character is \fIlower\-case\fP, then the operation jpayne@68: is permitted. jpayne@68: .TS jpayne@68: center; jpayne@68: |l|l|. jpayne@68: _ jpayne@68: T{ jpayne@68: a jpayne@68: T} T{ jpayne@68: [Dis]allows the addition of principals or policies jpayne@68: T} jpayne@68: _ jpayne@68: T{ jpayne@68: c jpayne@68: T} T{ jpayne@68: [Dis]allows the changing of passwords for principals jpayne@68: T} jpayne@68: _ jpayne@68: T{ jpayne@68: d jpayne@68: T} T{ jpayne@68: [Dis]allows the deletion of principals or policies jpayne@68: T} jpayne@68: _ jpayne@68: T{ jpayne@68: e jpayne@68: T} T{ jpayne@68: [Dis]allows the extraction of principal keys jpayne@68: T} jpayne@68: _ jpayne@68: T{ jpayne@68: i jpayne@68: T} T{ jpayne@68: [Dis]allows inquiries about principals or policies jpayne@68: T} jpayne@68: _ jpayne@68: T{ jpayne@68: l jpayne@68: T} T{ jpayne@68: [Dis]allows the listing of all principals or policies jpayne@68: T} jpayne@68: _ jpayne@68: T{ jpayne@68: m jpayne@68: T} T{ jpayne@68: [Dis]allows the modification of principals or policies jpayne@68: T} jpayne@68: _ jpayne@68: T{ jpayne@68: p jpayne@68: T} T{ jpayne@68: [Dis]allows the propagation of the principal database (used in incr_db_prop) jpayne@68: T} jpayne@68: _ jpayne@68: T{ jpayne@68: s jpayne@68: T} T{ jpayne@68: [Dis]allows the explicit setting of the key for a principal jpayne@68: T} jpayne@68: _ jpayne@68: T{ jpayne@68: x jpayne@68: T} T{ jpayne@68: Short for admcilsp. All privileges (except \fBe\fP) jpayne@68: T} jpayne@68: _ jpayne@68: T{ jpayne@68: * jpayne@68: T} T{ jpayne@68: Same as x. jpayne@68: T} jpayne@68: _ jpayne@68: .TE jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: \fBNOTE:\fP jpayne@68: .INDENT 0.0 jpayne@68: .INDENT 3.5 jpayne@68: The \fBextract\fP privilege is not included in the wildcard jpayne@68: privilege; it must be explicitly assigned. This privilege jpayne@68: allows the user to extract keys from the database, and must be jpayne@68: handled with great care to avoid disclosure of important keys jpayne@68: like those of the kadmin/* or krbtgt/* principals. The jpayne@68: \fBlockdown_keys\fP principal attribute can be used to prevent jpayne@68: key extraction from specific principals regardless of the jpayne@68: granted privilege. jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .INDENT 0.0 jpayne@68: .TP jpayne@68: .B \fItarget_principal\fP jpayne@68: (Optional. Partially or fully qualified Kerberos principal name.) jpayne@68: Specifies the principal on which \fIpermissions\fP may be applied. jpayne@68: Each component of the name may be wildcarded using the \fB*\fP jpayne@68: character. jpayne@68: .sp jpayne@68: \fItarget_principal\fP can also include back\-references to \fIprincipal\fP, jpayne@68: in which \fB*number\fP matches the corresponding wildcard in jpayne@68: \fIprincipal\fP\&. jpayne@68: .TP jpayne@68: .B \fIrestrictions\fP jpayne@68: (Optional) A string of flags. Allowed restrictions are: jpayne@68: .INDENT 7.0 jpayne@68: .INDENT 3.5 jpayne@68: .INDENT 0.0 jpayne@68: .TP jpayne@68: .B {+|\-}\fIflagname\fP jpayne@68: flag is forced to the indicated value. The permissible flags jpayne@68: are the same as those for the \fBdefault_principal_flags\fP jpayne@68: variable in kdc.conf(5)\&. jpayne@68: .TP jpayne@68: .B \fI\-clearpolicy\fP jpayne@68: policy is forced to be empty. jpayne@68: .TP jpayne@68: .B \fI\-policy pol\fP jpayne@68: policy is forced to be \fIpol\fP\&. jpayne@68: .TP jpayne@68: .B \-{\fIexpire, pwexpire, maxlife, maxrenewlife\fP} \fItime\fP jpayne@68: (getdate string) associated value will be forced to jpayne@68: MIN(\fItime\fP, requested value). jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: The above flags act as restrictions on any add or modify operation jpayne@68: which is allowed due to that ACL line. jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: \fBWARNING:\fP jpayne@68: .INDENT 0.0 jpayne@68: .INDENT 3.5 jpayne@68: If the kadmind ACL file is modified, the kadmind daemon needs to be jpayne@68: restarted for changes to take effect. jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .SH EXAMPLE jpayne@68: .sp jpayne@68: Here is an example of a kadm5.acl file: jpayne@68: .INDENT 0.0 jpayne@68: .INDENT 3.5 jpayne@68: .sp jpayne@68: .nf jpayne@68: .ft C jpayne@68: */admin@ATHENA.MIT.EDU * # line 1 jpayne@68: joeadmin@ATHENA.MIT.EDU ADMCIL # line 2 jpayne@68: joeadmin/*@ATHENA.MIT.EDU i */root@ATHENA.MIT.EDU # line 3 jpayne@68: */root@ATHENA.MIT.EDU ci *1@ATHENA.MIT.EDU # line 4 jpayne@68: */root@ATHENA.MIT.EDU l * # line 5 jpayne@68: sms@ATHENA.MIT.EDU x * \-maxlife 9h \-postdateable # line 6 jpayne@68: .ft P jpayne@68: .fi jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: (line 1) Any principal in the \fBATHENA.MIT.EDU\fP realm with an jpayne@68: \fBadmin\fP instance has all administrative privileges except extracting jpayne@68: keys. jpayne@68: .sp jpayne@68: (lines 1\-3) The user \fBjoeadmin\fP has all permissions except jpayne@68: extracting keys with his \fBadmin\fP instance, jpayne@68: \fBjoeadmin/admin@ATHENA.MIT.EDU\fP (matches line 1). He has no jpayne@68: permissions at all with his null instance, \fBjoeadmin@ATHENA.MIT.EDU\fP jpayne@68: (matches line 2). His \fBroot\fP and other non\-\fBadmin\fP, non\-null jpayne@68: instances (e.g., \fBextra\fP or \fBdbadmin\fP) have inquire permissions jpayne@68: with any principal that has the instance \fBroot\fP (matches line 3). jpayne@68: .sp jpayne@68: (line 4) Any \fBroot\fP principal in \fBATHENA.MIT.EDU\fP can inquire jpayne@68: or change the password of their null instance, but not any other jpayne@68: null instance. (Here, \fB*1\fP denotes a back\-reference to the jpayne@68: component matching the first wildcard in the actor principal.) jpayne@68: .sp jpayne@68: (line 5) Any \fBroot\fP principal in \fBATHENA.MIT.EDU\fP can generate jpayne@68: the list of principals in the database, and the list of policies jpayne@68: in the database. This line is separate from line 4, because list jpayne@68: permission can only be granted globally, not to specific target jpayne@68: principals. jpayne@68: .sp jpayne@68: (line 6) Finally, the Service Management System principal jpayne@68: \fBsms@ATHENA.MIT.EDU\fP has all permissions except extracting keys, but jpayne@68: any principal that it creates or modifies will not be able to get jpayne@68: postdateable tickets or tickets with a life of longer than 9 hours. jpayne@68: .SH MODULE BEHAVIOR jpayne@68: .sp jpayne@68: The ACL file can coexist with other authorization modules in release jpayne@68: 1.16 and later, as configured in the kadm5_auth section of jpayne@68: krb5.conf(5)\&. The ACL file will positively authorize jpayne@68: operations according to the rules above, but will never jpayne@68: authoritatively deny an operation, so other modules can authorize jpayne@68: operations in addition to those authorized by the ACL file. jpayne@68: .sp jpayne@68: To operate without an ACL file, set the \fIacl_file\fP variable in jpayne@68: kdc.conf(5) to the empty string with \fBacl_file = ""\fP\&. jpayne@68: .SH SEE ALSO jpayne@68: .sp jpayne@68: kdc.conf(5), kadmind(8) jpayne@68: .SH AUTHOR jpayne@68: MIT jpayne@68: .SH COPYRIGHT jpayne@68: 1985-2022, MIT jpayne@68: .\" Generated by docutils manpage writer. jpayne@68: .