From: Greg Hudson <ghudson@mit.edu>
Date: Sun, 14 Jun 2020 01:55:54 +0000 (-0400)
Subject: Prevent deletion of K/M
X-Git-Tag: krb5-1.19-beta1~62
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=94b936a1bf0a8c67809597c5ea5400d8994d5dd8;p=thirdparty%2Fkrb5.git

Prevent deletion of K/M

In libkadm5srv, do not allow deletion of the master key principal, as
it is very difficult to recover a KDB after doing so.

ticket: 8913
---

diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
index 8a7ab6ea68..315c541419 100644
--- a/src/lib/kadm5/srv/svr_principal.c
+++ b/src/lib/kadm5/srv/svr_principal.c
@@ -537,6 +537,10 @@ kadm5_delete_principal(void *server_handle, krb5_principal principal)
     if (principal == NULL)
         return EINVAL;
 
+    /* Deleting K/M is mostly unrecoverable, so don't allow it. */
+    if (krb5_principal_compare(handle->context, principal, master_princ))
+        return KADM5_PROTECT_PRINCIPAL;
+
     if ((ret = kdb_get_entry(handle, principal, &kdb, &adb)))
         return(ret);
     ret = k5_kadm5_hook_remove(handle->context, handle->hook_handles,
diff --git a/src/tests/t_kadmin_acl.py b/src/tests/t_kadmin_acl.py
index 86eb59729f..8946e8cc4b 100755
--- a/src/tests/t_kadmin_acl.py
+++ b/src/tests/t_kadmin_acl.py
@@ -328,4 +328,10 @@ realm.run([kadmin, '-c', realm.ccache, 'cpw', '-randkey', 'none'],
 realm.run([kadmin, '-c', realm.ccache, 'cpw', '-randkey', '-e', 'aes256-cts',
            'none'], expected_code=1, expected_msg=msg)
 
+# Test operations disallowed at the libkadm5 layer.
+realm.run([kadminl, 'delprinc', 'K/M'],
+          expected_code=1, expected_msg='Cannot change protected principal')
+realm.run([kadminl, 'cpw', '-pw', 'pw', 'kadmin/history'],
+          expected_code=1, expected_msg='Cannot change protected principal')
+
 success('kadmin ACL enforcement')