diff options
author | Ben Kaduk <kaduk@mit.edu> | 2012-10-16 16:07:16 -0400 |
---|---|---|
committer | Ben Kaduk <kaduk@mit.edu> | 2012-10-16 17:08:08 -0400 |
commit | e15127e05f2b12bdd39940a1135cc1510e062aff (patch) | |
tree | 9deff42de4b81e48b7af8a5d82a3af8e5c69794d /src/man/kadm5.acl.man | |
parent | 0bb69fbcc306a3bf28370ac57d7e79120ccc7ce1 (diff) | |
download | krb5-e15127e05f2b12bdd39940a1135cc1510e062aff.zip krb5-e15127e05f2b12bdd39940a1135cc1510e062aff.tar.gz krb5-e15127e05f2b12bdd39940a1135cc1510e062aff.tar.bz2 |
Check in kadm5.acl.man
Somehow this man page was overlooked, previously.
Diffstat (limited to 'src/man/kadm5.acl.man')
-rw-r--r-- | src/man/kadm5.acl.man | 234 |
1 files changed, 234 insertions, 0 deletions
diff --git a/src/man/kadm5.acl.man b/src/man/kadm5.acl.man new file mode 100644 index 0000000..ec1da53 --- /dev/null +++ b/src/man/kadm5.acl.man @@ -0,0 +1,234 @@ +.TH "KADM5.ACL" "5" " " "0.0.1" "MIT Kerberos" +.SH NAME +kadm5.acl \- Kerberos ACL file +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.\" Man page generated from reStructuredText. +. +.SH DESCRIPTION +.sp +The Kerberos \fIkadmind(8)\fP daemon uses an Access Control List +(ACL) file to manage access rights to the Kerberos database. +For operations that affect principals, the ACL file also controls +which principals can operate on which other principals. +.sp +The default location of the Kerberos ACL file is +\fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP unless this is overridden by the \fIacl_file\fP +variable in \fIkdc.conf(5)\fP. +.SH SYNTAX +.sp +Empty lines and lines starting with the sharp sign (\fB#\fP) are +ignored. Lines containing ACL entries have the format: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +principal permissions [target_principal [restrictions] ] +.ft P +.fi +.UNINDENT +.UNINDENT +.IP Note +Line order in the ACL file is important. The first matching entry +will control access for an actor principal on a target principal. +.RE +.INDENT 0.0 +.TP +.B \fIprincipal\fP +(Partially or fully qualified Kerberos principal name.) Specifies +the principal whose permissions are to be set. +.sp +Each component of the name may be wildcarded using the \fB*\fP +character. +.TP +.B \fIpermissions\fP +Specifies what operations may or may not be performed by a +\fIprincipal\fP matching a particular entry. This is a string of one or +more of the following list of characters or their upper\-case +counterparts. If the character is \fIupper\-case\fP, then the operation +is disallowed. If the character is \fIlower\-case\fP, then the operation +is permitted. +.TS +center; +|l|l|. +_ +T{ +a +T} T{ +[Dis]allows the addition of principals or policies +T} +_ +T{ +c +T} T{ +[Dis]allows the changing of passwords for principals +T} +_ +T{ +d +T} T{ +[Dis]allows the deletion of principals or policies +T} +_ +T{ +i +T} T{ +[Dis]allows inquiries about principals or policies +T} +_ +T{ +l +T} T{ +[Dis]allows the listing of principals or policies +T} +_ +T{ +m +T} T{ +[Dis]allows the modification of principals or policies +T} +_ +T{ +p +T} T{ +[Dis]allows the propagation of the principal database (used in \fIincr_db_prop\fP) +T} +_ +T{ +s +T} T{ +[Dis]allows the explicit setting of the key for a principal +T} +_ +T{ +x +T} T{ +Short for admcil. All privileges +T} +_ +T{ +* +T} T{ +Same as x. +T} +_ +.TE +.TP +.B \fItarget_principal\fP +(Optional. Partially or fully qualified Kerberos principal name.) +Specifies the principal on which \fIpermissions\fP may be applied. +Each component of the name may be wildcarded using the \fB*\fP +character. +.sp +\fItarget_principal\fP can also include back\-references to \fIprincipal\fP, +in which \fB*number\fP matches the component number in \fIprincipal\fP. +.TP +.B \fIrestrictions\fP +(Optional) A string of flags. Allowed restrictions are: +.INDENT 7.0 +.INDENT 3.5 +.INDENT 0.0 +.TP +.B {+|\-}\fIflagname\fP +flag is forced to the indicated value. The permissible flags +are the same as the + and \- flags for the kadmin +\fIadd_principal\fP and \fImodify_principal\fP commands. +.TP +.B \fI\-clearpolicy\fP +policy is forced to be empty. +.TP +.B \fI\-policy pol\fP +policy is forced to be \fIpol\fP. +.TP +.B \-{\fIexpire, pwexpire, maxlife, maxrenewlife\fP} \fItime\fP +(\fIgetdate\fP string) associated value will be forced to +MIN(\fItime\fP, requested value). +.UNINDENT +.UNINDENT +.UNINDENT +.sp +The above flags act as restrictions on any add or modify operation +which is allowed due to that ACL line. +.UNINDENT +.IP Warning +If the kadmind ACL file is modified, the kadmind daemon needs to be +restarted for changes to take effect. +.RE +.SH EXAMPLE +.sp +Here is an example of a kadm5.acl file. +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +*/admin@ATHENA.MIT.EDU * # line 1 +joeadmin@ATHENA.MIT.EDU ADMCIL # line 2 +joeadmin/*@ATHENA.MIT.EDU il */root@ATHENA.MIT.EDU # line 3 +*/root@ATHENA.MIT.EDU cil *1@ATHENA.MIT.EDU # line 4 +*/*@ATHENA.MIT.EDU i # line 5 +*/admin@EXAMPLE.COM x * \-maxlife 9h \-postdateable # line 6 +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +(line 1) Any principal in the \fBATHENA.MIT.EDU\fP realm with +an \fBadmin\fP instance has all administrative privileges. +.sp +(lines 1\-3) The user \fBjoeadmin\fP has all permissions with his +\fBadmin\fP instance, \fBjoeadmin/admin@ATHENA.MIT.EDU\fP (matches line +1). He has no permissions at all with his null instance, +\fBjoeadmin@ATHENA.MIT.EDU\fP (matches line 2). His \fBroot\fP and other +non\-\fBadmin\fP, non\-null instances (e.g., \fBextra\fP or \fBdbadmin\fP) have +inquire and list permissions with any principal that has the +instance \fBroot\fP (matches line 3). +.sp +(line 4) Any \fBroot\fP principal in \fBATHENA.MIT.EDU\fP can inquire, list, +or change the password of their null instance, but not any other +null instance. (Here, "*1" denotes a back\-reference to the first +component of the actor principal.) +.sp +(line 5) Any principal in the realm \fBATHENA.MIT.EDU\fP (except for +\fBjoeadmin@ATHENA.MIT.EDU\fP, as mentioned above) has inquire +privileges. +.sp +(line 6) Finally, any principal with an \fBadmin\fP instance in \fBEXAMPLE.COM\fP +has all permissions, but any principal that they create or modify will +not be able to get postdateable tickets or tickets with a life of +longer than 9 hours. +.SH SEE ALSO +.sp +\fIkdc.conf(5)\fP, \fIkadmind(8)\fP +.SH AUTHOR +MIT +.SH COPYRIGHT +2012, MIT +.\" Generated by docutils manpage writer. +. |