URL: https://github.com/freeipa/freeipa/pull/585 Author: pvomacka Title: #585: Remove allow_constrained_delegation from gssproxy.conf Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/585/head:pr585 git checkout pr585
From 70a70d1d76664602b907e9f93b29c5515b120931 Mon Sep 17 00:00:00 2001 From: Pavel Vomacka <pvoma...@redhat.com> Date: Tue, 14 Mar 2017 17:44:01 +0100 Subject: [PATCH] Remove allow_constrained_delegation from gssproxy.conf This change reverts option which undid privilege separation letting apache be able to both impersonate users and then contact any service. https://pagure.io/freeipa/issue/6225 --- install/share/gssproxy.conf.template | 1 - 1 file changed, 1 deletion(-) diff --git a/install/share/gssproxy.conf.template b/install/share/gssproxy.conf.template index d703144..fbb158a 100644 --- a/install/share/gssproxy.conf.template +++ b/install/share/gssproxy.conf.template @@ -4,7 +4,6 @@ cred_store = keytab:$HTTP_KEYTAB cred_store = client_keytab:$HTTP_KEYTAB allow_protocol_transition = true - allow_constrained_delegation = true cred_usage = both euid = $HTTPD_USER
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code