-
Notifications
You must be signed in to change notification settings - Fork 366
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Somehow this man page was overlooked, previously.
- Loading branch information
Showing
1 changed file
with
234 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,234 @@ | ||
| .TH "KADM5.ACL" "5" " " "0.0.1" "MIT Kerberos" | ||
| .SH NAME | ||
| kadm5.acl \- Kerberos ACL file | ||
| . | ||
| .nr rst2man-indent-level 0 | ||
| . | ||
| .de1 rstReportMargin | ||
| \\$1 \\n[an-margin] | ||
| level \\n[rst2man-indent-level] | ||
| level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] | ||
| - | ||
| \\n[rst2man-indent0] | ||
| \\n[rst2man-indent1] | ||
| \\n[rst2man-indent2] | ||
| .. | ||
| .de1 INDENT | ||
| .\" .rstReportMargin pre: | ||
| . RS \\$1 | ||
| . nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] | ||
| . nr rst2man-indent-level +1 | ||
| .\" .rstReportMargin post: | ||
| .. | ||
| .de UNINDENT | ||
| . RE | ||
| .\" indent \\n[an-margin] | ||
| .\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] | ||
| .nr rst2man-indent-level -1 | ||
| .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] | ||
| .in \\n[rst2man-indent\\n[rst2man-indent-level]]u | ||
| .. | ||
| .\" Man page generated from reStructuredText. | ||
| . | ||
| .SH DESCRIPTION | ||
| .sp | ||
| The Kerberos \fIkadmind(8)\fP daemon uses an Access Control List | ||
| (ACL) file to manage access rights to the Kerberos database. | ||
| For operations that affect principals, the ACL file also controls | ||
| which principals can operate on which other principals. | ||
| .sp | ||
| The default location of the Kerberos ACL file is | ||
| \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP unless this is overridden by the \fIacl_file\fP | ||
| variable in \fIkdc.conf(5)\fP. | ||
| .SH SYNTAX | ||
| .sp | ||
| Empty lines and lines starting with the sharp sign (\fB#\fP) are | ||
| ignored. Lines containing ACL entries have the format: | ||
| .INDENT 0.0 | ||
| .INDENT 3.5 | ||
| .sp | ||
| .nf | ||
| .ft C | ||
| principal permissions [target_principal [restrictions] ] | ||
| .ft P | ||
| .fi | ||
| .UNINDENT | ||
| .UNINDENT | ||
| .IP Note | ||
| Line order in the ACL file is important. The first matching entry | ||
| will control access for an actor principal on a target principal. | ||
| .RE | ||
| .INDENT 0.0 | ||
| .TP | ||
| .B \fIprincipal\fP | ||
| (Partially or fully qualified Kerberos principal name.) Specifies | ||
| the principal whose permissions are to be set. | ||
| .sp | ||
| Each component of the name may be wildcarded using the \fB*\fP | ||
| character. | ||
| .TP | ||
| .B \fIpermissions\fP | ||
| Specifies what operations may or may not be performed by a | ||
| \fIprincipal\fP matching a particular entry. This is a string of one or | ||
| more of the following list of characters or their upper\-case | ||
| counterparts. If the character is \fIupper\-case\fP, then the operation | ||
| is disallowed. If the character is \fIlower\-case\fP, then the operation | ||
| is permitted. | ||
| .TS | ||
| center; | ||
| |l|l|. | ||
| _ | ||
| T{ | ||
| a | ||
| T} T{ | ||
| [Dis]allows the addition of principals or policies | ||
| T} | ||
| _ | ||
| T{ | ||
| c | ||
| T} T{ | ||
| [Dis]allows the changing of passwords for principals | ||
| T} | ||
| _ | ||
| T{ | ||
| d | ||
| T} T{ | ||
| [Dis]allows the deletion of principals or policies | ||
| T} | ||
| _ | ||
| T{ | ||
| i | ||
| T} T{ | ||
| [Dis]allows inquiries about principals or policies | ||
| T} | ||
| _ | ||
| T{ | ||
| l | ||
| T} T{ | ||
| [Dis]allows the listing of principals or policies | ||
| T} | ||
| _ | ||
| T{ | ||
| m | ||
| T} T{ | ||
| [Dis]allows the modification of principals or policies | ||
| T} | ||
| _ | ||
| T{ | ||
| p | ||
| T} T{ | ||
| [Dis]allows the propagation of the principal database (used in \fIincr_db_prop\fP) | ||
| T} | ||
| _ | ||
| T{ | ||
| s | ||
| T} T{ | ||
| [Dis]allows the explicit setting of the key for a principal | ||
| T} | ||
| _ | ||
| T{ | ||
| x | ||
| T} T{ | ||
| Short for admcil. All privileges | ||
| T} | ||
| _ | ||
| T{ | ||
| * | ||
| T} T{ | ||
| Same as x. | ||
| T} | ||
| _ | ||
| .TE | ||
| .TP | ||
| .B \fItarget_principal\fP | ||
| (Optional. Partially or fully qualified Kerberos principal name.) | ||
| Specifies the principal on which \fIpermissions\fP may be applied. | ||
| Each component of the name may be wildcarded using the \fB*\fP | ||
| character. | ||
| .sp | ||
| \fItarget_principal\fP can also include back\-references to \fIprincipal\fP, | ||
| in which \fB*number\fP matches the component number in \fIprincipal\fP. | ||
| .TP | ||
| .B \fIrestrictions\fP | ||
| (Optional) A string of flags. Allowed restrictions are: | ||
| .INDENT 7.0 | ||
| .INDENT 3.5 | ||
| .INDENT 0.0 | ||
| .TP | ||
| .B {+|\-}\fIflagname\fP | ||
| flag is forced to the indicated value. The permissible flags | ||
| are the same as the + and \- flags for the kadmin | ||
| \fIadd_principal\fP and \fImodify_principal\fP commands. | ||
| .TP | ||
| .B \fI\-clearpolicy\fP | ||
| policy is forced to be empty. | ||
| .TP | ||
| .B \fI\-policy pol\fP | ||
| policy is forced to be \fIpol\fP. | ||
| .TP | ||
| .B \-{\fIexpire, pwexpire, maxlife, maxrenewlife\fP} \fItime\fP | ||
| (\fIgetdate\fP string) associated value will be forced to | ||
| MIN(\fItime\fP, requested value). | ||
| .UNINDENT | ||
| .UNINDENT | ||
| .UNINDENT | ||
| .sp | ||
| The above flags act as restrictions on any add or modify operation | ||
| which is allowed due to that ACL line. | ||
| .UNINDENT | ||
| .IP Warning | ||
| If the kadmind ACL file is modified, the kadmind daemon needs to be | ||
| restarted for changes to take effect. | ||
| .RE | ||
| .SH EXAMPLE | ||
| .sp | ||
| Here is an example of a kadm5.acl file. | ||
| .INDENT 0.0 | ||
| .INDENT 3.5 | ||
| .sp | ||
| .nf | ||
| .ft C | ||
| */admin@ATHENA.MIT.EDU * # line 1 | ||
| joeadmin@ATHENA.MIT.EDU ADMCIL # line 2 | ||
| joeadmin/*@ATHENA.MIT.EDU il */root@ATHENA.MIT.EDU # line 3 | ||
| */root@ATHENA.MIT.EDU cil *1@ATHENA.MIT.EDU # line 4 | ||
| */*@ATHENA.MIT.EDU i # line 5 | ||
| */admin@EXAMPLE.COM x * \-maxlife 9h \-postdateable # line 6 | ||
| .ft P | ||
| .fi | ||
| .UNINDENT | ||
| .UNINDENT | ||
| .sp | ||
| (line 1) Any principal in the \fBATHENA.MIT.EDU\fP realm with | ||
| an \fBadmin\fP instance has all administrative privileges. | ||
| .sp | ||
| (lines 1\-3) The user \fBjoeadmin\fP has all permissions with his | ||
| \fBadmin\fP instance, \fBjoeadmin/admin@ATHENA.MIT.EDU\fP (matches line | ||
| 1). He has no permissions at all with his null instance, | ||
| \fBjoeadmin@ATHENA.MIT.EDU\fP (matches line 2). His \fBroot\fP and other | ||
| non\-\fBadmin\fP, non\-null instances (e.g., \fBextra\fP or \fBdbadmin\fP) have | ||
| inquire and list permissions with any principal that has the | ||
| instance \fBroot\fP (matches line 3). | ||
| .sp | ||
| (line 4) Any \fBroot\fP principal in \fBATHENA.MIT.EDU\fP can inquire, list, | ||
| or change the password of their null instance, but not any other | ||
| null instance. (Here, "*1" denotes a back\-reference to the first | ||
| component of the actor principal.) | ||
| .sp | ||
| (line 5) Any principal in the realm \fBATHENA.MIT.EDU\fP (except for | ||
| \fBjoeadmin@ATHENA.MIT.EDU\fP, as mentioned above) has inquire | ||
| privileges. | ||
| .sp | ||
| (line 6) Finally, any principal with an \fBadmin\fP instance in \fBEXAMPLE.COM\fP | ||
| has all permissions, but any principal that they create or modify will | ||
| not be able to get postdateable tickets or tickets with a life of | ||
| longer than 9 hours. | ||
| .SH SEE ALSO | ||
| .sp | ||
| \fIkdc.conf(5)\fP, \fIkadmind(8)\fP | ||
| .SH AUTHOR | ||
| MIT | ||
| .SH COPYRIGHT | ||
| 2012, MIT | ||
| .\" Generated by docutils manpage writer. | ||
| . |