Hi, > Severity: important
I propose this bug to be set to severity critical and handled by DSA. After all, it is a local impersonation and root privilege escalation bug, if not remote if you consider clients scattered out over a school remote. > > To improve security, settings in kadm5.acl should be adjusted. > > The needed fix is minimal: > > --- a/share/debian-edu-config/tools/kerberos-kdc-init > +++ b/share/debian-edu-config/tools/kerberos-kdc-init > @@ -187,7 +187,7 @@ EOF > if [ ! -f /etc/krb5kdc/kadm5.acl ] ; then > cat > /etc/krb5kdc/kadm5.acl <<EOF > root/admin@INTERN * > -*@INTERN cil > +*@INTERN Cil > */*@INTERN i > EOF > chmod 644 /etc/krb5kdc/kadm5.acl Why not just remove that line? Or disallow everything? Disallowing changes fixes the privilege escalation, but it is also questionnable if everyone and their dog need to be allowed to track when which other person used the network. I am pretty certain it is at least a DSGVO violation. > > Thanks to Andreas B. Mundt for the hint. > > Also, /etc/krb5kdc/kadm5.acl should be fixed accordingly upon upgrades > by adding something like this to debian-edu-config.postinst: > > [configure case] > fi > + > + # Set proper rights for users. > + if [ -f /etc/krb5kdc/kadm5.acl ] ; then > + sed -i 's/cil/Cil/' /etc/krb5kdc/kadm5.acl > + fi > ;; > esac Probably only if it was unmodified. If not, postinst should issue a warning using debconf, IMHO. -nik -- Sendt fra min Android-enhet med K-9 e-post. Unnskyld min kortfattethet.
