From 6043cc8c88a7faf20e16176bd9982356fa4b3d24 Mon Sep 17 00:00:00 2001
From: Jeffrey Altman <jaltman@secure-endpoints.com>
Date: Mon, 16 Mar 2015 10:47:16 -0500
Subject: [PATCH] kadmind: check for KADM5_PRIV_GET when op GET

When performing a permission check for a GET operation the
KADM5_PRIV_GET_KEYS privilege should not be assumed to be a pure
superset of KADM5_PRIV_GET.  If the "get" permission is denied the
user cannot get an entry with or without key data.
---
 kadmin/server.c | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/kadmin/server.c b/kadmin/server.c
index 0ac0b83e4..1d55b458e 100644
--- a/kadmin/server.c
+++ b/kadmin/server.c
@@ -78,20 +78,24 @@ kadmind_dispatch(void *kadm_handlep, krb5_boolean initial,
 	mask |= KADM5_PRINCIPAL;
 	krb5_unparse_name_fixed(contextp->context, princ, name, sizeof(name));
 	krb5_warnx(contextp->context, "%s: %s %s", client, op, name);
-	ret = _kadm5_acl_check_permission(contextp, KADM5_PRIV_GET_KEYS, princ);
-	if (ret == 0)
-	    keys_ok = 1;
-	else
-	    ret = _kadm5_acl_check_permission(contextp, KADM5_PRIV_GET, princ);
-	if(ret){
+
+        /* If the caller doesn't have KADM5_PRIV_GET, we're done. */
+	ret = _kadm5_acl_check_permission(contextp, KADM5_PRIV_GET, princ);
+        if (ret) {
 	    krb5_free_principal(contextp->context, princ);
 	    goto fail;
-	}
+        }
+
+        /* Then check to see if it is ok to return keys */
+        ret = _kadm5_acl_check_permission(contextp, KADM5_PRIV_GET_KEYS, princ);
+        if (ret == 0)
+            keys_ok = 1;
+
 	ret = kadm5_get_principal(kadm_handlep, princ, &ent, mask);
 	krb5_storage_free(sp);
 	sp = krb5_storage_emem();
 	krb5_store_int32(sp, ret);
-	if(ret == 0){
+	if (ret == 0){
 	    if (keys_ok)
 		kadm5_store_principal_ent(sp, &ent);
 	    else