I disagree with Timo's assessment; the attempt to write to
/etc/krb5.conf is from an access(2) check to _see_ if the file is
writable. If the file _is_ writable, then the sshd server knows Kerberos
is mis-configured and will _fail_. Of course, most of the time, the
standard Unix DAC checks will forbid the write access, and sshd
continues normally.
Perhaps abstractions/kerberosclient should be amended to have a deny
rule for /etc/krb5.conf w, to silence this needless noise.
Sadly, the kernel LSM design doesn't allow LSM modules to know the
difference between open("file", O_RDWR) and access('file", R_OK|W_OK);
both result in the same call to an LSM module. (Which makes a certain
amount of sense, but does mean polluting profiles with explicit 'deny'
rules on access() checks done for safety's sake.)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/228229
Title:
sshd profile does not work out-of-the-box
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
