[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: kadmin "privs" question




Alf Wachsmann <alfw@SLAC.Stanford.EDU> writes:

> How do I remotely (i.e. not _on_ one of my KDCs) find out what
> privileges a certain account has?

Right now, not at all. I agree that it might be useful to know remotely.

But its not as simples as returning a flag `has-ADMIN-privileges` in
heimdal, since the principal might have partial admin rights, both in term
of target principal and what right the the users have.

For example, take (part of) the acl in the info documentation:

     lha/admin@E.KTH.SE	all
     jimmy/admin@E.KTH.SE	all		*@E.KTH.SE
     mille/admin@E.KTH.SE	change-password	*@E.KTH.SE

Now, jimmy/admin clearly have ADMIN right to *@E.KTH.SE, but not
*/whatever@E.KTH.SE.

So, I guess the list of acls that the match the principal might be sent
back. That certainly would give you the information you want, but the
question is if that is want you/other wanted.

While talking about the acl system, I'm kind of misses a negative acl. The
problem is that users with lower rights (lets say a helpdesk/support
person) elevate their rights by changing the password of a user with more
rights. I've just not figured out a good way of expressing it (haven't
given it too much though either)

We solved the problem by not exposing the kadmin interface to the helpdesk,
but that requires another infrastructure for account managment (and that
just fine for us).

Love

PGP signature