diff options
author | Greg Hudson <ghudson@mit.edu> | 2016-06-08 00:00:55 -0400 |
---|---|---|
committer | Tom Yu <tlyu@mit.edu> | 2016-07-06 16:09:21 -0400 |
commit | 736521cfa04cf30ab7a6d57a75b267eed90a6593 (patch) | |
tree | 3b0124934b62ec0a93b989d6e03ac6be41a3cf56 | |
parent | 7c4a7adf7f224868c936cb56804ebd17d5d58756 (diff) | |
download | krb5-736521cfa04cf30ab7a6d57a75b267eed90a6593.zip krb5-736521cfa04cf30ab7a6d57a75b267eed90a6593.tar.gz krb5-736521cfa04cf30ab7a6d57a75b267eed90a6593.tar.bz2 |
Fix kadmin min_life check with nonexistent policy
In kadmind, self-service key changes require a check against the
policy's min_life field. If the policy does not exist, this check
should succeed according to the semantics introduced by ticket #7385.
Fix check_min_life() to return 0 if kadm5_get_policy() returns
KADM5_UNK_POLICY. Reported by John Devitofranceschi.
(back ported from commit 5fca279ca4d18f1b5798847a98e7df8737d2eb7c)
ticket: 8427
version_fixed: 1.13.6
tags: -pullup
status: resolved
-rw-r--r-- | src/kadmin/server/misc.c | 4 | ||||
-rw-r--r-- | src/tests/t_policy.py | 5 |
2 files changed, 7 insertions, 2 deletions
diff --git a/src/kadmin/server/misc.c b/src/kadmin/server/misc.c index 192145c..27a6376 100644 --- a/src/kadmin/server/misc.c +++ b/src/kadmin/server/misc.c @@ -177,10 +177,12 @@ check_min_life(void *server_handle, krb5_principal principal, if(ret) return ret; if(princ.aux_attributes & KADM5_POLICY) { + /* Look up the policy. If it doesn't exist, treat this principal as if + * it had no policy. */ if((ret=kadm5_get_policy(handle->lhandle, princ.policy, &pol)) != KADM5_OK) { (void) kadm5_free_principal_ent(handle->lhandle, &princ); - return ret; + return (ret == KADM5_UNK_POLICY) ? 0 : ret; } if((now - princ.last_pwd_change) < pol.pw_min_life && !(princ.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) { diff --git a/src/tests/t_policy.py b/src/tests/t_policy.py index f4cb4b4..7b95342 100644 --- a/src/tests/t_policy.py +++ b/src/tests/t_policy.py @@ -2,7 +2,7 @@ from k5test import * import re -realm = K5Realm(create_host=False) +realm = K5Realm(create_host=False, start_kadmind=True) # Test password quality enforcement. realm.run_kadminl('addpol -minlength 6 -minclasses 2 pwpol') @@ -48,6 +48,9 @@ if ('WARNING: policy "newpol" does not exist' not in out or out = realm.run_kadminl('cpw -pw 3rdpassword pwuser') if ' changed.' not in out: fail('reuse of current password with nonexistent policy') +# Regression test for #8427 (min_life check with nonexistent policy). +realm.run([kadmin, '-p', 'pwuser', '-w', '3rdpassword', + '-q', 'cpw -pw 3rdpassword pwuser']) # Create newpol and verify that it is enforced. realm.run_kadminl('addpol -minlength 3 newpol') |