From a8c4205341b42445d7adf2ffe2b7cecb65701035 Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Wed, 20 Aug 2014 15:24:46 -0400 Subject: Updates for krb5-1.13-alpha1 --- src/man/kadm5.acl.man | 66 +++++++++++++++++++++++++++++---------------------- 1 file changed, 38 insertions(+), 28 deletions(-) (limited to 'src/man/kadm5.acl.man') diff --git a/src/man/kadm5.acl.man b/src/man/kadm5.acl.man index dbdb10d..4aa21fc 100644 --- a/src/man/kadm5.acl.man +++ b/src/man/kadm5.acl.man @@ -1,3 +1,5 @@ +.\" Man page generated from reStructuredText. +. .TH "KADM5.ACL" "5" " " "1.13" "MIT Kerberos" .SH NAME kadm5.acl \- Kerberos ACL file @@ -28,8 +30,6 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. -.\" Man page generated from reStructuredText. -. .SH DESCRIPTION .sp The Kerberos \fIkadmind(8)\fP daemon uses an Access Control List @@ -39,7 +39,7 @@ which principals can operate on which other principals. .sp The default location of the Kerberos ACL file is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP unless this is overridden by the \fIacl_file\fP -variable in \fIkdc.conf(5)\fP. +variable in \fIkdc.conf(5)\fP\&. .SH SYNTAX .sp Empty lines and lines starting with the sharp sign (\fB#\fP) are @@ -54,10 +54,14 @@ principal permissions [target_principal [restrictions] ] .fi .UNINDENT .UNINDENT -.IP Note +.sp +\fBNOTE:\fP +.INDENT 0.0 +.INDENT 3.5 Line order in the ACL file is important. The first matching entry will control access for an actor principal on a target principal. -.RE +.UNINDENT +.UNINDENT .INDENT 0.0 .TP .B \fIprincipal\fP @@ -105,7 +109,7 @@ _ T{ l T} T{ -[Dis]allows the listing of principals or policies +[Dis]allows the listing of all principals or policies T} _ T{ @@ -129,7 +133,7 @@ _ T{ x T} T{ -Short for admcil. All privileges +Short for admcilsp. All privileges T} _ T{ @@ -148,7 +152,7 @@ character. .sp \fItarget_principal\fP can also include back\-references to \fIprincipal\fP, in which \fB*number\fP matches the corresponding wildcard in -\fIprincipal\fP. +\fIprincipal\fP\&. .TP .B \fIrestrictions\fP (Optional) A string of flags. Allowed restrictions are: @@ -165,7 +169,7 @@ are the same as the + and \- flags for the kadmin policy is forced to be empty. .TP .B \fI\-policy pol\fP -policy is forced to be \fIpol\fP. +policy is forced to be \fIpol\fP\&. .TP .B \-{\fIexpire, pwexpire, maxlife, maxrenewlife\fP} \fItime\fP (\fIgetdate\fP string) associated value will be forced to @@ -177,24 +181,28 @@ MIN(\fItime\fP, requested value). The above flags act as restrictions on any add or modify operation which is allowed due to that ACL line. .UNINDENT -.IP Warning +.sp +\fBWARNING:\fP +.INDENT 0.0 +.INDENT 3.5 If the kadmind ACL file is modified, the kadmind daemon needs to be restarted for changes to take effect. -.RE +.UNINDENT +.UNINDENT .SH EXAMPLE .sp -Here is an example of a kadm5.acl file. +Here is an example of a kadm5.acl file: .INDENT 0.0 .INDENT 3.5 .sp .nf .ft C -*/admin@ATHENA.MIT.EDU * # line 1 +*/admin@ATHENA.MIT.EDU * # line 1 joeadmin@ATHENA.MIT.EDU ADMCIL # line 2 -joeadmin/*@ATHENA.MIT.EDU il */root@ATHENA.MIT.EDU # line 3 -*/root@ATHENA.MIT.EDU cil *1@ATHENA.MIT.EDU # line 4 -*/*@ATHENA.MIT.EDU i # line 5 -*/admin@EXAMPLE.COM x * \-maxlife 9h \-postdateable # line 6 +joeadmin/*@ATHENA.MIT.EDU i */root@ATHENA.MIT.EDU # line 3 +*/root@ATHENA.MIT.EDU ci *1@ATHENA.MIT.EDU # line 4 +*/root@ATHENA.MIT.EDU l * # line 5 +sms@ATHENA.MIT.EDU x * \-maxlife 9h \-postdateable # line 6 .ft P .fi .UNINDENT @@ -208,28 +216,30 @@ an \fBadmin\fP instance has all administrative privileges. 1). He has no permissions at all with his null instance, \fBjoeadmin@ATHENA.MIT.EDU\fP (matches line 2). His \fBroot\fP and other non\-\fBadmin\fP, non\-null instances (e.g., \fBextra\fP or \fBdbadmin\fP) have -inquire and list permissions with any principal that has the -instance \fBroot\fP (matches line 3). +inquire permissions with any principal that has the instance \fBroot\fP +(matches line 3). .sp -(line 4) Any \fBroot\fP principal in \fBATHENA.MIT.EDU\fP can inquire, list, +(line 4) Any \fBroot\fP principal in \fBATHENA.MIT.EDU\fP can inquire or change the password of their null instance, but not any other null instance. (Here, \fB*1\fP denotes a back\-reference to the component matching the first wildcard in the actor principal.) .sp -(line 5) Any principal in the realm \fBATHENA.MIT.EDU\fP (except for -\fBjoeadmin@ATHENA.MIT.EDU\fP, as mentioned above) has inquire -privileges. +(line 5) Any \fBroot\fP principal in \fBATHENA.MIT.EDU\fP can generate +the list of principals in the database, and the list of policies +in the database. This line is separate from line 4, because list +permission can only be granted globally, not to specific target +principals. .sp -(line 6) Finally, any principal with an \fBadmin\fP instance in \fBEXAMPLE.COM\fP -has all permissions, but any principal that they create or modify will -not be able to get postdateable tickets or tickets with a life of -longer than 9 hours. +(line 6) Finally, the Service Management System principal +\fBsms@ATHENA.MIT.EDU\fP has all permissions, but any principal that it +creates or modifies will not be able to get postdateable tickets or +tickets with a life of longer than 9 hours. .SH SEE ALSO .sp \fIkdc.conf(5)\fP, \fIkadmind(8)\fP .SH AUTHOR MIT .SH COPYRIGHT -1985-2013, MIT +1985-2014, MIT .\" Generated by docutils manpage writer. . -- cgit v1.1