From: Greg Hudson <ghudson@mit.edu>
Date: Wed, 8 Jun 2016 04:00:55 +0000 (-0400)
Subject: Fix kadmin min_life check with nonexistent policy
X-Git-Tag: krb5-1.15-beta1~177
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5fca279ca4d18f1b5798847a98e7df8737d2eb7c;p=thirdparty%2Fkrb5.git

Fix kadmin min_life check with nonexistent policy

In kadmind, self-service key changes require a check against the
policy's min_life field.  If the policy does not exist, this check
should succeed according to the semantics introduced by ticket #7385.
Fix check_min_life() to return 0 if kadm5_get_policy() returns
KADM5_UNK_POLICY.  Reported by John Devitofranceschi.

ticket: 8427
target_version: 1.14-next
target_version: 1.13-next
tags: pullup
---

diff --git a/src/kadmin/server/misc.c b/src/kadmin/server/misc.c
index 192145c60d..27a6376af6 100644
--- a/src/kadmin/server/misc.c
+++ b/src/kadmin/server/misc.c
@@ -177,10 +177,12 @@ check_min_life(void *server_handle, krb5_principal principal,
     if(ret)
         return ret;
     if(princ.aux_attributes & KADM5_POLICY) {
+        /* Look up the policy.  If it doesn't exist, treat this principal as if
+         * it had no policy. */
         if((ret=kadm5_get_policy(handle->lhandle,
                                  princ.policy, &pol)) != KADM5_OK) {
             (void) kadm5_free_principal_ent(handle->lhandle, &princ);
-            return ret;
+            return (ret == KADM5_UNK_POLICY) ? 0 : ret;
         }
         if((now - princ.last_pwd_change) < pol.pw_min_life &&
            !(princ.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) {
diff --git a/src/tests/t_policy.py b/src/tests/t_policy.py
index 4d075eb4ce..bfec96a932 100755
--- a/src/tests/t_policy.py
+++ b/src/tests/t_policy.py
@@ -2,7 +2,7 @@
 from k5test import *
 import re
 
-realm = K5Realm(create_host=False)
+realm = K5Realm(create_host=False, start_kadmind=True)
 
 # Test password quality enforcement.
 realm.run([kadminl, 'addpol', '-minlength', '6', '-minclasses', '2', 'pwpol'])
@@ -39,6 +39,9 @@ if 'Policy: newpol [does not exist]\n' not in out:
 realm.run([kadminl, 'modprinc', '-policy', 'newpol', 'pwuser'])
 # pwuser should allow reuse of the current password since newpol doesn't exist.
 realm.run([kadminl, 'cpw', '-pw', '3rdpassword', 'pwuser'])
+# Regression test for #8427 (min_life check with nonexistent policy).
+realm.run([kadmin, '-p', 'pwuser', '-w', '3rdpassword', 'cpw', '-pw',
+           '3rdpassword', 'pwuser'])
 
 # Create newpol and verify that it is enforced.
 realm.run([kadminl, 'addpol', '-minlength', '3', 'newpol'])