movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-09 19:13:26 +03:00
Code Issues Projects Releases Packages Wiki Activity

nixos/kerberos_server: disallow combining "all" with policies != "get-keys"

Browse source
This commit is contained in:
Nessdoor 2025-02-14 19:45:27 +01:00
parent 00a8c125b0
commit f500ae084a
2 changed files with 29 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

28
nixos/modules/security/krb5/krb5-conf-format.nix
View file

@ -61,16 +61,18 @@ rec {
description = "Which principal the rule applies to";
};
access = mkOption {
type = either (listOf (enum [
"all"
"add"
"cpw"
"delete"
"get-keys"
"get"
"list"
"modify"
])) (enum [ "all" ]);
type = coercedTo str singleton (
listOf (enum [
"all"
"add"
"cpw"
"delete"
"get-keys"
"get"
"list"
"modify"
])
);
default = "all";
description = ''
The changes the principal is allowed to make.
@ -79,6 +81,12 @@ rec {
The "all" permission does not imply the "get-keys" permission. This
is consistent with the behavior of both MIT Kerberos and Heimdal.
:::
:::{.warning}
Value "all" is allowed as a list member only if it appears alone
or accompanied by "get-keys". Any other combination involving
"all" will raise an exception.
:::
'';
};
target = mkOption {

11
nixos/modules/services/system/kerberos/default.nix
View file

@ -55,6 +55,17 @@ in
assertion = lib.length (lib.attrNames cfg.settings.realms) <= 1;
message = "Only one realm per server is currently supported.";
}
{
assertion =
let
inherit (builtins) attrValues elem length;
realms = attrValues cfg.settings.realms;
accesses = lib.concatMap (r: map (a: a.access) r.acl) realms;
property = a: !elem "all" a || (length a <= 1) || (length a <= 2 && elem "get-keys" a);
in
builtins.all property accesses;
message = "Cannot specify \"all\" in a list with additional permissions other than \"get-keys\"";
}
];
systemd.slices.system-kerberos-server = { };