From 400133be0b9fab25774a1166accf3ee83e73b7d5 Mon Sep 17 00:00:00 2001
From: Johan Danielsson <joda@pdc.kth.se>
Date: Sat, 21 Mar 1998 00:51:03 +0000
Subject: [PATCH] Check for principals changing their own passwords.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@4622 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 kadmin/server.c    | 12 ++++++++++--
 lib/kadm5/server.c | 12 ++++++++++--
 2 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/kadmin/server.c b/kadmin/server.c
index 1bd1bae70..c207b5515 100644
--- a/kadmin/server.c
+++ b/kadmin/server.c
@@ -293,7 +293,11 @@ kadmind_dispatch(void *kadm_handle, krb5_storage *sp)
 	}
 	krb5_unparse_name_fixed(context->context, princ, name, sizeof(name));
 	krb5_warnx(context->context, "%s: %s %s", client, op, name);
-	ret = _kadm5_acl_check_permission(context, KADM5_PRIV_CPW);
+	/* anyone can change her/his own password */
+	if(!krb5_principal_compare(context->context, context->caller, princ))
+	    ret = KADM5_AUTH_INSUFFICIENT;
+	if(ret)
+	    ret = _kadm5_acl_check_permission(context, KADM5_PRIV_CPW);
 	if(ret){
 	    krb5_free_principal(context->context, princ);
 	    goto fail;
@@ -313,7 +317,11 @@ kadmind_dispatch(void *kadm_handle, krb5_storage *sp)
 	    goto fail;
 	krb5_unparse_name_fixed(context->context, princ, name, sizeof(name));
 	krb5_warnx(context->context, "%s: %s %s", client, op, name);
-	ret = _kadm5_acl_check_permission(context, KADM5_PRIV_CPW);
+	/* anyone can change her/his own password */
+	if(!krb5_principal_compare(context->context, context->caller, princ))
+	    ret = KADM5_AUTH_INSUFFICIENT;
+	if(ret)
+	    ret = _kadm5_acl_check_permission(context, KADM5_PRIV_CPW);
 	if(ret){
 	    krb5_free_principal(context->context, princ);
 	    goto fail;
diff --git a/lib/kadm5/server.c b/lib/kadm5/server.c
index 1bd1bae70..c207b5515 100644
--- a/lib/kadm5/server.c
+++ b/lib/kadm5/server.c
@@ -293,7 +293,11 @@ kadmind_dispatch(void *kadm_handle, krb5_storage *sp)
 	}
 	krb5_unparse_name_fixed(context->context, princ, name, sizeof(name));
 	krb5_warnx(context->context, "%s: %s %s", client, op, name);
-	ret = _kadm5_acl_check_permission(context, KADM5_PRIV_CPW);
+	/* anyone can change her/his own password */
+	if(!krb5_principal_compare(context->context, context->caller, princ))
+	    ret = KADM5_AUTH_INSUFFICIENT;
+	if(ret)
+	    ret = _kadm5_acl_check_permission(context, KADM5_PRIV_CPW);
 	if(ret){
 	    krb5_free_principal(context->context, princ);
 	    goto fail;
@@ -313,7 +317,11 @@ kadmind_dispatch(void *kadm_handle, krb5_storage *sp)
 	    goto fail;
 	krb5_unparse_name_fixed(context->context, princ, name, sizeof(name));
 	krb5_warnx(context->context, "%s: %s %s", client, op, name);
-	ret = _kadm5_acl_check_permission(context, KADM5_PRIV_CPW);
+	/* anyone can change her/his own password */
+	if(!krb5_principal_compare(context->context, context->caller, princ))
+	    ret = KADM5_AUTH_INSUFFICIENT;
+	if(ret)
+	    ret = _kadm5_acl_check_permission(context, KADM5_PRIV_CPW);
 	if(ret){
 	    krb5_free_principal(context->context, princ);
 	    goto fail;