movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-10 03:23:29 +03:00
Code Issues Projects Releases Packages Wiki Activity

nixos/kerberos_server: disallow combining "all" with policies != "get-keys"

Browse source
This commit is contained in:
Nessdoor 2025-02-14 19:45:27 +01:00
parent 00a8c125b0
commit f500ae084a
2 changed files with 29 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

28
nixos/modules/security/krb5/krb5-conf-format.nix
View file

@ -61,16 +61,18 @@ rec {
description = "Which principal the rule applies to"; description = "Which principal the rule applies to";
}; };
access = mkOption { access = mkOption {
type = either (listOf (enum [ type = coercedTo str singleton (
"all" listOf (enum [
"add" "all"
"cpw" "add"
"delete" "cpw"
"get-keys" "delete"
"get" "get-keys"
"list" "get"
"modify" "list"
])) (enum [ "all" ]); "modify"
])
);
default = "all"; default = "all";
description = '' description = ''
The changes the principal is allowed to make. The changes the principal is allowed to make.
@ -79,6 +81,12 @@ rec {
The "all" permission does not imply the "get-keys" permission. This The "all" permission does not imply the "get-keys" permission. This
is consistent with the behavior of both MIT Kerberos and Heimdal. is consistent with the behavior of both MIT Kerberos and Heimdal.
::: :::
:::{.warning}
Value "all" is allowed as a list member only if it appears alone
or accompanied by "get-keys". Any other combination involving
"all" will raise an exception.
:::
''; '';
}; };
target = mkOption { target = mkOption {

11
nixos/modules/services/system/kerberos/default.nix
View file

@ -55,6 +55,17 @@ in
assertion = lib.length (lib.attrNames cfg.settings.realms) <= 1; assertion = lib.length (lib.attrNames cfg.settings.realms) <= 1;
message = "Only one realm per server is currently supported."; message = "Only one realm per server is currently supported.";
} }
{
assertion =
let
inherit (builtins) attrValues elem length;
realms = attrValues cfg.settings.realms;
accesses = lib.concatMap (r: map (a: a.access) r.acl) realms;
property = a: !elem "all" a || (length a <= 1) || (length a <= 2 && elem "get-keys" a);
in
builtins.all property accesses;
message = "Cannot specify \"all\" in a list with additional permissions other than \"get-keys\"";
}
]; ];
systemd.slices.system-kerberos-server = { }; systemd.slices.system-kerberos-server = { };