-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Mon, Dec 16, 2019 at 12:13:49PM +0100, Wolfgang Schweer wrote: > On Mon, Dec 16, 2019 at 11:33:28AM +0100, Dominik George wrote: > > >> Why not just remove that line? > > > > > >The only line needed is: root/admin@INTERN * > > >Intention is to fix the bug, but keep the change as minimal as > > >possible. > > Then it should be CIl in my opinion. Listing principals is the same as > > getent passwd, so no additional leaks here. The i ACL allows tracking > > other users' use of the network. It is thus part of the bug. > > IMO Cil is enough, but better safe than sorry. Just committed like > proposed, thanks.
Great! Also, I'd propose to turn the sed command into: sed -i 's/\(\*@INTERN[[:space:]]*\)cil/\1CIl/' /etc/krb5kdc/kadm5.acl This way, it will not destroy any legitimate additions a local admin made. - -nik -----BEGIN PGP SIGNATURE----- iQJlBAEBCgBPFiEEPJ1UpHV1wCb7F/0mt5o8FqDE8pYFAl33dBAxGmh0dHBzOi8v d3d3LmRvbWluaWstZ2VvcmdlLmRlL2dwZy1wb2xpY3kudHh0LmFzYwAKCRC3mjwW oMTylvjjD/9Hnfm8DN3+hobIMEsPg8lWXoN4Z90a46Hlfr/DcRGn+ENsbxnXMSBu +Sg8PoomSvvDuW5QWgCXuUmBgS+mBNMOJFlSaT/3tORV8cr4nyq/kmgcU+9AcGBH bmgQ5BvB2Z2eMau7eZvW+GhRA1UA576Luaxw/xl8EvqN5PmfYQgJwPK3aN1oNuJ0 nlR9N4yVbDKuvjLB2olXsO2jYOFKCkVU1QTPKf8Jfhq0usgqVjyv5NRY8ywKlns0 h5H9m1WQ9MdviGFE48YhGfKUSE9lKfFwAL/dnDSmvtzdsTI/HopxYAY9rw/XEi6a S1MgmJQrFeYEGHJ49eLkiOWufG+Q8Z6jeN8LySsRx/17RjX7gMn5SIAvpZbwWuVK h0yB5j6LQ/gfpcYu/N3DAWBW6zgLdxORfSi8IlDqXvJnSJKGlb0uQNBwsb+jT4HY vJnPfE1fBGrgBOqe3BIrVdHE0iUvw9z8R+MaAewIGt4ThhJ7tJaGmROJ1gskQAnE He+7QHRen0+WQxiLTgB03pww88phV7KBXnUQtx/7PlUUaK5AOKo38dtKNOTQo2gM AAdp3OMFTw0f8JLk7uUtA1NEC1DPQvjNvjdQBVxDK7Vw08B1wKyAWTPfKEkYJHWv FyaEwD4JPQySqrukf+RqJ2Pl4ip+PmgTZEYOmu1XpkV+9PRddltE0A== =+c4F -----END PGP SIGNATURE-----
