kadmind: check ACLs for aliases CVE-2016-2400
CVE-2016-2400 kadmind(8) was not checking for 'add' permission to aliases added via kadm5_modify_principal(). This is a security vulnerability. The impact of this vulnerability is mostly minor because most sites that use kadmind(8) generally grant roughly the same level of permissions to all administrators. However, the impact will be higher for sites that grant modify privileges to large numbers of less-privileged users. From what we know of existing deployments of Heimdal, it seems very likely that the impact of this vulnerability will be minor for most sites.
This commit is contained in:
Nicolas Williams
@@ -82,6 +82,7 @@ ${kadmin} -l add -p foo --use-defaults bar@${R} || exit 1
|
||||
${kadmin} -l add -p foo --use-defaults baz@${R} || exit 1
|
||||
${kadmin} -l add -p foo --use-defaults bez@${R} || exit 1
|
||||
${kadmin} -l add -p foo --use-defaults fez@${R} || exit 1
|
||||
${kadmin} -l add -p foo --use-defaults hasalias@${R} || exit 1
|
||||
${kadmin} -l add -p foo --use-defaults pkinit@${R} || exit 1
|
||||
${kadmin} -l modify --pkinit-acl="CN=baz,DC=test,DC=h5l,DC=se" pkinit@${R} || exit 1
|
||||
|
||||
@@ -100,6 +101,58 @@ fi
|
||||
|
||||
trap "kill -9 ${kdcpid} ${kadmpid}" EXIT
|
||||
|
||||
#----------------------------------
|
||||
echo "kinit (no admin); test mod --alias authorization"
|
||||
${kinit} --password-file=${objdir}/foopassword \
|
||||
-S kadmin/admin@${R} hasalias@${R} || exit 1
|
||||
|
||||
${kadmind} -d &
|
||||
kadmpid=$!
|
||||
sleep 1
|
||||
|
||||
# Check that one non-permitted alias -> failure
|
||||
env KRB5CCNAME=${cache} \
|
||||
${kadmin} -p hasalias@${R} modify --alias=goodalias1@${R} --alias=badalias@${R} hasalias@${R} &&
|
||||
{ echo "kadmin failed $?"; cat messages.log ; exit 1; }
|
||||
wait $kadmpid || { echo "kadmind failed $?"; cat messages.log ; exit 1; }
|
||||
|
||||
${kadmind} -d &
|
||||
kadmpid=$!
|
||||
sleep 1
|
||||
|
||||
# Check that all permitted aliases -> success
|
||||
env KRB5CCNAME=${cache} \
|
||||
${kadmin} -p hasalias@${R} modify --alias=goodalias1@${R} --alias=goodalias2@${R} hasalias@${R} ||
|
||||
{ echo "kadmin failed $?"; cat messages.log ; exit 1; }
|
||||
wait $kadmpid || { echo "kadmind failed $?"; cat messages.log ; exit 1; }
|
||||
|
||||
${kadmind} -d &
|
||||
kadmpid=$!
|
||||
sleep 1
|
||||
|
||||
# Check that we can drop aliases
|
||||
env KRB5CCNAME=${cache} \
|
||||
${kadmin} -p hasalias@${R} modify --alias=goodalias3@${R} hasalias@${R} ||
|
||||
{ echo "kadmin failed $?"; cat messages.log ; exit 1; }
|
||||
wait $kadmpid || { echo "kadmind failed $?"; cat messages.log ; exit 1; }
|
||||
${kadmin} -l get hasalias@${R} | grep Aliases: > kadmin.tmp
|
||||
read junk aliases < kadmin.tmp
|
||||
rm kadmin.tmp
|
||||
[ "$aliases" != "goodalias3@${R}" ] && { echo "kadmind failed $?"; cat messages.log ; exit 1; }
|
||||
|
||||
${kadmind} -d &
|
||||
kadmpid=$!
|
||||
sleep 1
|
||||
|
||||
env KRB5CCNAME=${cache} \
|
||||
${kadmin} -p hasalias@${R} modify --alias=goodalias1@${R} --alias=goodalias2@${R} --alias=goodalias3@${R} hasalias@${R} ||
|
||||
{ echo "kadmin failed $?"; cat messages.log ; exit 1; }
|
||||
wait $kadmpid || { echo "kadmind failed $?"; cat messages.log ; exit 1; }
|
||||
${kadmin} -l get hasalias@${R} | grep Aliases: > kadmin.tmp
|
||||
read junk aliases < kadmin.tmp
|
||||
rm kadmin.tmp
|
||||
[ "$aliases" != "goodalias1@${R} goodalias2@${R} goodalias3@${R}" ] && { echo "FOO failed $?"; cat messages.log ; exit 1; }
|
||||
|
||||
#----------------------------------
|
||||
${kadmind} -d &
|
||||
kadmpid=$!
|
||||
|
||||
@@ -3,3 +3,7 @@ bar@TEST.H5L.SE all
|
||||
baz@TEST.H5L.SE get,add *
|
||||
bez@TEST.H5L.SE get,add *@TEST.H5L.SE
|
||||
fez@TEST.H5L.SE get,add
|
||||
hasalias@TEST.H5L.SE get,mod hasalias@TEST.H5L.SE
|
||||
hasalias@TEST.H5L.SE get,add goodalias1@TEST.H5L.SE
|
||||
hasalias@TEST.H5L.SE get,add goodalias2@TEST.H5L.SE
|
||||
hasalias@TEST.H5L.SE get,add goodalias3@TEST.H5L.SE
|
||||
|
||||
Reference in New Issue
Block a user