Bug#946797: debian-edu-config: kadm5.acl should set proper rights for users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On Mon, Dec 16, 2019 at 12:13:49PM +0100, Wolfgang Schweer wrote:
> On Mon, Dec 16, 2019 at 11:33:28AM +0100, Dominik George wrote:
> > >> Why not just remove that line?
> > >
> > >The only line needed is: root/admin@INTERN *
> > >Intention is to fix the bug, but keep the change as minimal as
> > >possible.
> > Then it should be CIl in my opinion. Listing principals is the same as
> > getent passwd, so no additional leaks here. The i ACL allows tracking
> > other users' use of the network. It is thus part of the bug.
>
> IMO Cil is enough, but better safe than sorry. Just committed like
> proposed, thanks.
Great!
Also, I'd propose to turn the sed command into:
sed -i 's/\(\*@INTERN[[:space:]]*\)cil/\1CIl/' /etc/krb5kdc/kadm5.acl
This way, it will not destroy any legitimate additions a local admin made.
- -nik
-----BEGIN PGP SIGNATURE-----
iQJlBAEBCgBPFiEEPJ1UpHV1wCb7F/0mt5o8FqDE8pYFAl33dBAxGmh0dHBzOi8v
d3d3LmRvbWluaWstZ2VvcmdlLmRlL2dwZy1wb2xpY3kudHh0LmFzYwAKCRC3mjwW
oMTylvjjD/9Hnfm8DN3+hobIMEsPg8lWXoN4Z90a46Hlfr/DcRGn+ENsbxnXMSBu
+Sg8PoomSvvDuW5QWgCXuUmBgS+mBNMOJFlSaT/3tORV8cr4nyq/kmgcU+9AcGBH
bmgQ5BvB2Z2eMau7eZvW+GhRA1UA576Luaxw/xl8EvqN5PmfYQgJwPK3aN1oNuJ0
nlR9N4yVbDKuvjLB2olXsO2jYOFKCkVU1QTPKf8Jfhq0usgqVjyv5NRY8ywKlns0
h5H9m1WQ9MdviGFE48YhGfKUSE9lKfFwAL/dnDSmvtzdsTI/HopxYAY9rw/XEi6a
S1MgmJQrFeYEGHJ49eLkiOWufG+Q8Z6jeN8LySsRx/17RjX7gMn5SIAvpZbwWuVK
h0yB5j6LQ/gfpcYu/N3DAWBW6zgLdxORfSi8IlDqXvJnSJKGlb0uQNBwsb+jT4HY
vJnPfE1fBGrgBOqe3BIrVdHE0iUvw9z8R+MaAewIGt4ThhJ7tJaGmROJ1gskQAnE
He+7QHRen0+WQxiLTgB03pww88phV7KBXnUQtx/7PlUUaK5AOKo38dtKNOTQo2gM
AAdp3OMFTw0f8JLk7uUtA1NEC1DPQvjNvjdQBVxDK7Vw08B1wKyAWTPfKEkYJHWv
FyaEwD4JPQySqrukf+RqJ2Pl4ip+PmgTZEYOmu1XpkV+9PRddltE0A==
=+c4F
-----END PGP SIGNATURE-----
Reply to: