Hi,
2013-11-09 18:54, Russ Allbery skrev:
Per Olofsson <[email protected]> writes:
So something is wrong here. In my opinion, "all" rights should include the
get-keys right (it did so before), so it should simply be changed to
include it:
This was an intentional change upstream in the development branch that
leads to Heimdal 1.6 (which is what's currently packaged). get-keys is
surprisingly powerful and a lot of people weren't realizing just how much
power "all" granted, including the ability to impersonate, silently, any
principal whose entry one could retrieve. The idea is that one has to
grant explicit permission to download the existing keys, since that's the
most powerful operation kadmind supports.
OK, I see your point.
I still think it's clearly a bug that kadmin silently creates an invalid
keytab instead of returning an error message. It's really difficult as a
user to understand what's happening. It took almost a day for me and I
had to read the source code to find the problem.
Since the current package is of a development snapshot, the documentation
may not have caught up with the implementation fully.
Which makes me wonder... why are the Heimdal packages in Debian stable
from a development snapshot?
I guess an updated man page wouldn't have helped much in this case
anyway, as opposed to an error message. Still, I think this example from
kadmind(8) is a bit misleading:
This acl file will grant Joe all rights, and allow Mallory to view and
add host principals, as well as extract host principal keys (e.g.,
into
keytabs).
joe/[email protected] all
mallory/[email protected] add,get-keys host/*@EXAMPLE.COM
It says that Joe gets "all" rights, which is not true. Even if the
branch is still in development, I think this error should be fixed
before the release :-)
--
Pelle
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
