xref: /freebsd/crypto/krb5/doc/admin/conf_files/kadm5_acl.rst (revision 7f2fe78b9dd5f51c821d771b63d2e096f6fd49e9) 
1.. _kadm5.acl(5):
2
3kadm5.acl
4=========
5
6DESCRIPTION
7-----------
8
9The Kerberos :ref:`kadmind(8)` daemon uses an Access Control List
10(ACL) file to manage access rights to the Kerberos database.
11For operations that affect principals, the ACL file also controls
12which principals can operate on which other principals.
13
14The default location of the Kerberos ACL file is
15|kdcdir|\ ``/kadm5.acl``  unless this is overridden by the *acl_file*
16variable in :ref:`kdc.conf(5)`.
17
18SYNTAX
19------
20
21Empty lines and lines starting with the sharp sign (``#``) are
22ignored.  Lines containing ACL entries have the format::
23
24    principal  permissions  [target_principal  [restrictions] ]
25
26.. note::
27
28          Line order in the ACL file is important.  The first matching entry
29          will control access for an actor principal on a target principal.
30
31*principal*
32    (Partially or fully qualified Kerberos principal name.) Specifies
33    the principal whose permissions are to be set.
34
35    Each component of the name may be wildcarded using the ``*``
36    character.
37
38*permissions*
39    Specifies what operations may or may not be performed by a
40    *principal* matching a particular entry.  This is a string of one or
41    more of the following list of characters or their upper-case
42    counterparts.  If the character is *upper-case*, then the operation
43    is disallowed.  If the character is *lower-case*, then the operation
44    is permitted.
45
46    == ======================================================
47    a  [Dis]allows the addition of principals or policies
48    c  [Dis]allows the changing of passwords for principals
49    d  [Dis]allows the deletion of principals or policies
50    e  [Dis]allows the extraction of principal keys
51    i  [Dis]allows inquiries about principals or policies
52    l  [Dis]allows the listing of all principals or policies
53    m  [Dis]allows the modification of principals or policies
54    p  [Dis]allows the propagation of the principal database (used in :ref:`incr_db_prop`)
55    s  [Dis]allows the explicit setting of the key for a principal
56    x  Short for admcilsp. All privileges (except ``e``)
57    \* Same as x.
58    == ======================================================
59
60.. note::
61
62        The ``extract`` privilege is not included in the wildcard
63        privilege; it must be explicitly assigned.  This privilege
64        allows the user to extract keys from the database, and must be
65        handled with great care to avoid disclosure of important keys
66        like those of the kadmin/* or krbtgt/* principals.  The
67        **lockdown_keys** principal attribute can be used to prevent
68        key extraction from specific principals regardless of the
69        granted privilege.
70
71*target_principal*
72    (Optional. Partially or fully qualified Kerberos principal name.)
73    Specifies the principal on which *permissions* may be applied.
74    Each component of the name may be wildcarded using the ``*``
75    character.
76
77    *target_principal* can also include back-references to *principal*,
78    in which ``*number`` matches the corresponding wildcard in
79    *principal*.
80
81*restrictions*
82    (Optional) A string of flags. Allowed restrictions are:
83
84        {+\|-}\ *flagname*
85            flag is forced to the indicated value.  The permissible flags
86            are the same as those for the **default_principal_flags**
87            variable in :ref:`kdc.conf(5)`.
88
89        *-clearpolicy*
90            policy is forced to be empty.
91
92        *-policy pol*
93            policy is forced to be *pol*.
94
95        -{*expire, pwexpire, maxlife, maxrenewlife*} *time*
96            (:ref:`getdate` string) associated value will be forced to
97            MIN(*time*, requested value).
98
99    The above flags act as restrictions on any add or modify operation
100    which is allowed due to that ACL line.
101
102.. warning::
103
104    If the kadmind ACL file is modified, the kadmind daemon needs to be
105    restarted for changes to take effect.
106
107EXAMPLE
108-------
109
110Here is an example of a kadm5.acl file::
111
112    */admin@ATHENA.MIT.EDU    *                               # line 1
113    joeadmin@ATHENA.MIT.EDU   ADMCIL                          # line 2
114    joeadmin/*@ATHENA.MIT.EDU i   */root@ATHENA.MIT.EDU       # line 3
115    */root@ATHENA.MIT.EDU     ci  *1@ATHENA.MIT.EDU           # line 4
116    */root@ATHENA.MIT.EDU     l   *                           # line 5
117    sms@ATHENA.MIT.EDU        x   * -maxlife 9h -postdateable # line 6
118
119(line 1) Any principal in the ``ATHENA.MIT.EDU`` realm with an
120``admin`` instance has all administrative privileges except extracting
121keys.
122
123(lines 1-3) The user ``joeadmin`` has all permissions except
124extracting keys with his ``admin`` instance,
125``joeadmin/admin@ATHENA.MIT.EDU`` (matches line 1).  He has no
126permissions at all with his null instance, ``joeadmin@ATHENA.MIT.EDU``
127(matches line 2).  His ``root`` and other non-``admin``, non-null
128instances (e.g., ``extra`` or ``dbadmin``) have inquire permissions
129with any principal that has the instance ``root`` (matches line 3).
130
131(line 4) Any ``root`` principal in ``ATHENA.MIT.EDU`` can inquire
132or change the password of their null instance, but not any other
133null instance.  (Here, ``*1`` denotes a back-reference to the
134component matching the first wildcard in the actor principal.)
135
136(line 5) Any ``root`` principal in ``ATHENA.MIT.EDU`` can generate
137the list of principals in the database, and the list of policies
138in the database.  This line is separate from line 4, because list
139permission can only be granted globally, not to specific target
140principals.
141
142(line 6) Finally, the Service Management System principal
143``sms@ATHENA.MIT.EDU`` has all permissions except extracting keys, but
144any principal that it creates or modifies will not be able to get
145postdateable tickets or tickets with a life of longer than 9 hours.
146
147MODULE BEHAVIOR
148---------------
149
150The ACL file can coexist with other authorization modules in release
1511.16 and later, as configured in the :ref:`kadm5_auth` section of
152:ref:`krb5.conf(5)`.  The ACL file will positively authorize
153operations according to the rules above, but will never
154authoritatively deny an operation, so other modules can authorize
155operations in addition to those authorized by the ACL file.
156
157To operate without an ACL file, set the *acl_file* variable in
158:ref:`kdc.conf(5)` to the empty string with ``acl_file = ""``.
159
160SEE ALSO
161--------
162
163:ref:`kdc.conf(5)`, :ref:`kadmind(8)`
164