Per Olofsson <[email protected]> writes: > So something is wrong here. In my opinion, "all" rights should include the > get-keys right (it did so before), so it should simply be changed to > include it:
This was an intentional change upstream in the development branch that leads to Heimdal 1.6 (which is what's currently packaged). get-keys is surprisingly powerful and a lot of people weren't realizing just how much power "all" granted, including the ability to impersonate, silently, any principal whose entry one could retrieve. The idea is that one has to grant explicit permission to download the existing keys, since that's the most powerful operation kadmind supports. Since the current package is of a development snapshot, the documentation may not have caught up with the implementation fully. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
