Prevent deletion of K/M

In libkadm5srv, do not allow deletion of the master key principal, as
it is very difficult to recover a KDB after doing so.

ticket: 8913

diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
index 8a7ab6ea68b39e00bb93c4243081dad4b2a127df..315c541419e5e50030e1b89147a7f3e90a1f0146 100644 (file)
--- a/src/lib/kadm5/srv/svr_principal.c
+++ b/src/lib/kadm5/srv/svr_principal.c
@@ -537,6 +537,10 @@ kadm5_delete_principal(void *server_handle, krb5_principal principal)
     if (principal == NULL)
         return EINVAL;
 
+    /* Deleting K/M is mostly unrecoverable, so don't allow it. */
+    if (krb5_principal_compare(handle->context, principal, master_princ))
+        return KADM5_PROTECT_PRINCIPAL;
+
     if ((ret = kdb_get_entry(handle, principal, &kdb, &adb)))
         return(ret);
     ret = k5_kadm5_hook_remove(handle->context, handle->hook_handles,

diff --git a/src/tests/t_kadmin_acl.py b/src/tests/t_kadmin_acl.py
index 86eb59729f7dbb9a6a8837c0ce744a3acf16275b..8946e8cc4bdc419db565d76ae1a6434d8d8f469d 100755 (executable)
--- a/src/tests/t_kadmin_acl.py
+++ b/src/tests/t_kadmin_acl.py
@@ -328,4 +328,10 @@ realm.run([kadmin, '-c', realm.ccache, 'cpw', '-randkey', 'none'],
 realm.run([kadmin, '-c', realm.ccache, 'cpw', '-randkey', '-e', 'aes256-cts',
            'none'], expected_code=1, expected_msg=msg)
 
+# Test operations disallowed at the libkadm5 layer.
+realm.run([kadminl, 'delprinc', 'K/M'],
+          expected_code=1, expected_msg='Cannot change protected principal')
+realm.run([kadminl, 'cpw', '-pw', 'pw', 'kadmin/history'],
+          expected_code=1, expected_msg='Cannot change protected principal')
+
 success('kadmin ACL enforcement')