oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

kadmind: check ACLs for aliases CVE-2016-2400

Browse Source 
CVE-2016-2400

kadmind(8) was not checking for 'add' permission to aliases added via
kadm5_modify_principal().  This is a security vulnerability.  The impact
of this vulnerability is mostly minor because most sites that use
kadmind(8) generally grant roughly the same level of permissions to all
administrators.  However, the impact will be higher for sites that grant
modify privileges to large numbers of less-privileged users.

From what we know of existing deployments of Heimdal, it seems very
likely that the impact of this vulnerability will be minor for most
sites.
This commit is contained in:
Nicolas Williams
2016-02-12 13:52:31 -06:00
parent 50a45a946d
commit 8343733562
3 changed files with 230 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
tests/kdc/heimdal.acl
View File

@@ -3,3 +3,7 @@ bar@TEST.H5L.SE all
baz@TEST.H5L.SE get,add *
bez@TEST.H5L.SE get,add *@TEST.H5L.SE
fez@TEST.H5L.SE get,add
hasalias@TEST.H5L.SE get,mod hasalias@TEST.H5L.SE
hasalias@TEST.H5L.SE get,add goodalias1@TEST.H5L.SE
hasalias@TEST.H5L.SE get,add goodalias2@TEST.H5L.SE
hasalias@TEST.H5L.SE get,add goodalias3@TEST.H5L.SE