Bug#946797: debian-edu-config: kadm5.acl should set proper rights for users
>> > root/admin@INTERN *
>> > -*@INTERN cil
>> > +*@INTERN Cil
>> > */*@INTERN i
>> > EOF
>> > chmod 644 /etc/krb5kdc/kadm5.acl
>>
>> Why not just remove that line?
>
>The only line needed is: root/admin@INTERN *
>Intention is to fix the bug, but keep the change as minimal as
>possible.
Then it should be CIl in my opinion. Listing principals is the same as getent passwd, so no additional leaks here. The i ACL allows tracking other users' use of the network. It is thus part of the bug.
Reply to: