<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>kadm5.acl — MIT Kerberos Documentation</title> <link rel="stylesheet" href="../../_static/agogo.css" type="text/css" /> <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" /> <link rel="stylesheet" href="../../_static/kerb.css" type="text/css" /> <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../../', VERSION: '1.11.4', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true }; </script> <script type="text/javascript" src="../../_static/jquery.js"></script> <script type="text/javascript" src="../../_static/underscore.js"></script> <script type="text/javascript" src="../../_static/doctools.js"></script> <link rel="author" title="About these documents" href="../../about.html" /> <link rel="copyright" title="Copyright" href="../../copyright.html" /> <link rel="top" title="MIT Kerberos Documentation" href="../../index.html" /> <link rel="up" title="Configuration Files" href="index.html" /> <link rel="next" title="Realm configuration decisions" href="../realm_config.html" /> <link rel="prev" title="kdc.conf" href="kdc_conf.html" /> </head> <body> <div class="header-wrapper"> <div class="header" style="padding-bottom: 0px;"> <h1><a href="../../index.html" style="color: #5d1509; font-size: 120%; padding-top: 10px;">MIT Kerberos Documentation</a></h1> <div class="rel"> <a href="../../index.html" title="Full Table of Contents" accesskey="C">Contents</a> | <a href="kdc_conf.html" title="kdc.conf" accesskey="P">previous</a> | <a href="../realm_config.html" title="Realm configuration decisions" accesskey="N">next</a> | <a href="../../genindex.html" title="General Index" accesskey="I">index</a> | <a href="../../search.html" title="Enter search criteria" accesskey="S">Search</a> | <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kadm5.acl">feedback</a> </div> </div> </div> <div class="content-wrapper"> <div class="content"> <div class="sidebar" style="float: right; background: #F9F9F9"> <h2>On this page </h2> <ul> <li><a class="reference internal" href="#">kadm5.acl</a><ul> <li><a class="reference internal" href="#description">DESCRIPTION</a></li> <li><a class="reference internal" href="#syntax">SYNTAX</a></li> <li><a class="reference internal" href="#example">EXAMPLE</a></li> <li><a class="reference internal" href="#see-also">SEE ALSO</a></li> </ul> </li> </ul> <br/> <h2>Table of contents</h2> <ul class="current"> <li class="toctree-l1"><a class="reference internal" href="../../user/index.html">For users</a></li> <li class="toctree-l1 current"><a class="reference internal" href="../index.html">For administrators</a><ul class="current"> <li class="toctree-l2"><a class="reference internal" href="../install.html">Installation guide</a></li> <li class="toctree-l2 current"><a class="reference internal" href="index.html">Configuration Files</a><ul class="current"> <li class="toctree-l3"><a class="reference internal" href="krb5_conf.html">krb5.conf</a></li> <li class="toctree-l3"><a class="reference internal" href="kdc_conf.html">kdc.conf</a></li> <li class="toctree-l3 current"><a class="current reference internal" href="">kadm5.acl</a></li> </ul> </li> <li class="toctree-l2"><a class="reference internal" href="../realm_config.html">Realm configuration decisions</a></li> <li class="toctree-l2"><a class="reference internal" href="../database.html">Database administration</a></li> <li class="toctree-l2"><a class="reference internal" href="../lockout.html">Account lockout</a></li> <li class="toctree-l2"><a class="reference internal" href="../conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> <li class="toctree-l2"><a class="reference internal" href="../appl_servers.html">Application servers</a></li> <li class="toctree-l2"><a class="reference internal" href="../host_config.html">Host configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="../backup_host.html">Backups of secure hosts</a></li> <li class="toctree-l2"><a class="reference internal" href="../pkinit.html">PKINIT configuration</a></li> <li class="toctree-l2"><a class="reference internal" href="../princ_dns.html">Principal names and DNS</a></li> <li class="toctree-l2"><a class="reference internal" href="../enctypes.html">Encryption types</a></li> <li class="toctree-l2"><a class="reference internal" href="../admin_commands/index.html">Administration programs</a></li> <li class="toctree-l2"><a class="reference internal" href="../../mitK5defaults.html">MIT Kerberos defaults</a></li> <li class="toctree-l2"><a class="reference internal" href="../env_variables.html">Environment variables</a></li> <li class="toctree-l2"><a class="reference internal" href="../troubleshoot.html">Troubleshooting</a></li> <li class="toctree-l2"><a class="reference internal" href="../advanced/index.html">Advanced topics</a></li> <li class="toctree-l2"><a class="reference internal" href="../various_envs.html">Various links</a></li> </ul> </li> <li class="toctree-l1"><a class="reference internal" href="../../appdev/index.html">For application developers</a></li> <li class="toctree-l1"><a class="reference internal" href="../../plugindev/index.html">For plugin module developers</a></li> <li class="toctree-l1"><a class="reference internal" href="../../build/index.html">Building Kerberos V5</a></li> <li class="toctree-l1"><a class="reference internal" href="../../basic/index.html">Kerberos V5 concepts</a></li> <li class="toctree-l1"><a class="reference internal" href="../../mitK5features.html">MIT Kerberos features</a></li> <li class="toctree-l1"><a class="reference internal" href="../../build_this.html">How to build this documentation from the source</a></li> <li class="toctree-l1"><a class="reference internal" href="../../about.html">The Kerberos Documentation Set</a></li> <li class="toctree-l1"><a class="reference internal" href="../../resources.html">Resources</a></li> </ul> <br/> <h4><a href="../../index.html">Full Table of Contents </a></h4> <h4>Search</h4> <form class="search" action="../../search.html" method="get"> <input type="text" name="q" size="18" /> <input type="submit" value="Go" /> <input type="hidden" name="check_keywords" value="yes" /> <input type="hidden" name="area" value="default" /> </form> </div> <div class="document"> <div class="documentwrapper"> <div class="bodywrapper"> <div class="body"> <div class="section" id="kadm5-acl"> <span id="kadm5-acl-5"></span><h1>kadm5.acl<a class="headerlink" href="#kadm5-acl" title="Permalink to this headline">¶</a></h1> <div class="section" id="description"> <h2>DESCRIPTION<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2> <p>The Kerberos <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a> daemon uses an Access Control List (ACL) file to manage access rights to the Kerberos database. For operations that affect principals, the ACL file also controls which principals can operate on which other principals.</p> <p>The default location of the Kerberos ACL file is <tt class="docutils literal"><span class="pre">/var/lib</span></tt><tt class="docutils literal"><span class="pre">/krb5kdc</span></tt><tt class="docutils literal"><span class="pre">/kadm5.acl</span></tt> unless this is overridden by the <em>acl_file</em> variable in <a class="reference internal" href="kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>.</p> </div> <div class="section" id="syntax"> <h2>SYNTAX<a class="headerlink" href="#syntax" title="Permalink to this headline">¶</a></h2> <p>Empty lines and lines starting with the sharp sign (<tt class="docutils literal"><span class="pre">#</span></tt>) are ignored. Lines containing ACL entries have the format:</p> <blockquote> <div><div class="highlight-python"><pre>principal permissions [target_principal [restrictions] ]</pre> </div> </div></blockquote> <div class="admonition note"> <p class="first admonition-title">Note</p> <p class="last">Line order in the ACL file is important. The first matching entry will control access for an actor principal on a target principal.</p> </div> <dl class="docutils"> <dt><em>principal</em></dt> <dd><p class="first">(Partially or fully qualified Kerberos principal name.) Specifies the principal whose permissions are to be set.</p> <p class="last">Each component of the name may be wildcarded using the <tt class="docutils literal"><span class="pre">*</span></tt> character.</p> </dd> <dt><em>permissions</em></dt> <dd><p class="first">Specifies what operations may or may not be performed by a <em>principal</em> matching a particular entry. This is a string of one or more of the following list of characters or their upper-case counterparts. If the character is <em>upper-case</em>, then the operation is disallowed. If the character is <em>lower-case</em>, then the operation is permitted.</p> <table border="1" class="last docutils"> <colgroup> <col width="2%" /> <col width="98%" /> </colgroup> <tbody valign="top"> <tr class="row-odd"><td>a</td> <td>[Dis]allows the addition of principals or policies</td> </tr> <tr class="row-even"><td>c</td> <td>[Dis]allows the changing of passwords for principals</td> </tr> <tr class="row-odd"><td>d</td> <td>[Dis]allows the deletion of principals or policies</td> </tr> <tr class="row-even"><td>i</td> <td>[Dis]allows inquiries about principals or policies</td> </tr> <tr class="row-odd"><td>l</td> <td>[Dis]allows the listing of principals or policies</td> </tr> <tr class="row-even"><td>m</td> <td>[Dis]allows the modification of principals or policies</td> </tr> <tr class="row-odd"><td>p</td> <td>[Dis]allows the propagation of the principal database (used in <a class="reference internal" href="../database.html#incr-db-prop"><em>Incremental database propagation</em></a>)</td> </tr> <tr class="row-even"><td>s</td> <td>[Dis]allows the explicit setting of the key for a principal</td> </tr> <tr class="row-odd"><td>x</td> <td>Short for admcil. All privileges</td> </tr> <tr class="row-even"><td>*</td> <td>Same as x.</td> </tr> </tbody> </table> </dd> <dt><em>target_principal</em></dt> <dd><p class="first">(Optional. Partially or fully qualified Kerberos principal name.) Specifies the principal on which <em>permissions</em> may be applied. Each component of the name may be wildcarded using the <tt class="docutils literal"><span class="pre">*</span></tt> character.</p> <p class="last"><em>target_principal</em> can also include back-references to <em>principal</em>, in which <tt class="docutils literal"><span class="pre">*number</span></tt> matches the component number in <em>principal</em>.</p> </dd> <dt><em>restrictions</em></dt> <dd><p class="first">(Optional) A string of flags. Allowed restrictions are:</p> <blockquote> <div><dl class="docutils"> <dt>{+|-}<em>flagname</em></dt> <dd>flag is forced to the indicated value. The permissible flags are the same as the + and - flags for the kadmin <a class="reference internal" href="../admin_commands/kadmin_local.html#add-principal"><em>add_principal</em></a> and <a class="reference internal" href="../admin_commands/kadmin_local.html#modify-principal"><em>modify_principal</em></a> commands.</dd> <dt><em>-clearpolicy</em></dt> <dd>policy is forced to be empty.</dd> <dt><em>-policy pol</em></dt> <dd>policy is forced to be <em>pol</em>.</dd> <dt>-{<em>expire, pwexpire, maxlife, maxrenewlife</em>} <em>time</em></dt> <dd>(<a class="reference internal" href="../../basic/date_format.html#getdate"><em>getdate time</em></a> string) associated value will be forced to MIN(<em>time</em>, requested value).</dd> </dl> </div></blockquote> <p class="last">The above flags act as restrictions on any add or modify operation which is allowed due to that ACL line.</p> </dd> </dl> <div class="admonition warning"> <p class="first admonition-title">Warning</p> <p class="last">If the kadmind ACL file is modified, the kadmind daemon needs to be restarted for changes to take effect.</p> </div> </div> <div class="section" id="example"> <h2>EXAMPLE<a class="headerlink" href="#example" title="Permalink to this headline">¶</a></h2> <p>Here is an example of a kadm5.acl file.</p> <blockquote> <div><div class="highlight-python"><pre>*/admin@ATHENA.MIT.EDU * # line 1 joeadmin@ATHENA.MIT.EDU ADMCIL # line 2 joeadmin/*@ATHENA.MIT.EDU il */root@ATHENA.MIT.EDU # line 3 */root@ATHENA.MIT.EDU cil *1@ATHENA.MIT.EDU # line 4 */*@ATHENA.MIT.EDU i # line 5 */admin@EXAMPLE.COM x * -maxlife 9h -postdateable # line 6</pre> </div> </div></blockquote> <p>(line 1) Any principal in the <tt class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></tt> realm with an <tt class="docutils literal"><span class="pre">admin</span></tt> instance has all administrative privileges.</p> <p>(lines 1-3) The user <tt class="docutils literal"><span class="pre">joeadmin</span></tt> has all permissions with his <tt class="docutils literal"><span class="pre">admin</span></tt> instance, <tt class="docutils literal"><span class="pre">joeadmin/admin@ATHENA.MIT.EDU</span></tt> (matches line 1). He has no permissions at all with his null instance, <tt class="docutils literal"><span class="pre">joeadmin@ATHENA.MIT.EDU</span></tt> (matches line 2). His <tt class="docutils literal"><span class="pre">root</span></tt> and other non-<tt class="docutils literal"><span class="pre">admin</span></tt>, non-null instances (e.g., <tt class="docutils literal"><span class="pre">extra</span></tt> or <tt class="docutils literal"><span class="pre">dbadmin</span></tt>) have inquire and list permissions with any principal that has the instance <tt class="docutils literal"><span class="pre">root</span></tt> (matches line 3).</p> <p>(line 4) Any <tt class="docutils literal"><span class="pre">root</span></tt> principal in <tt class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></tt> can inquire, list, or change the password of their null instance, but not any other null instance. (Here, “*1” denotes a back-reference to the first component of the actor principal.)</p> <p>(line 5) Any principal in the realm <tt class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></tt> (except for <tt class="docutils literal"><span class="pre">joeadmin@ATHENA.MIT.EDU</span></tt>, as mentioned above) has inquire privileges.</p> <p>(line 6) Finally, any principal with an <tt class="docutils literal"><span class="pre">admin</span></tt> instance in <tt class="docutils literal"><span class="pre">EXAMPLE.COM</span></tt> has all permissions, but any principal that they create or modify will not be able to get postdateable tickets or tickets with a life of longer than 9 hours.</p> </div> <div class="section" id="see-also"> <h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> <p><a class="reference internal" href="kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a>, <a class="reference internal" href="../admin_commands/kadmind.html#kadmind-8"><em>kadmind</em></a></p> </div> </div> </div> </div> </div> </div> <div class="clearer" ></div> </div> </div> <div class="footer-wrapper" > <div class="footer" > <div class="right" ><i>Release: 1.11.4</i><br /> © <a href="../../copyright.html">Copyright</a> 1985-2013, MIT. </div> <div class="left" > <a href="../../index.html" title="Full Table of Contents" >Contents</a> | <a href="kdc_conf.html" title="kdc.conf" >previous</a> | <a href="../realm_config.html" title="Realm configuration decisions" >next</a> | <a href="../../genindex.html" title="General Index" >index</a> | <a href="../../search.html" title="Enter search criteria" >Search</a> | <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__kadm5.acl">feedback</a> </div> </div> </div> </body> </html>