>> > root/admin@INTERN * >> > -*@INTERN cil >> > +*@INTERN Cil >> > */*@INTERN i >> > EOF >> > chmod 644 /etc/krb5kdc/kadm5.acl >> >> Why not just remove that line? > >The only line needed is: root/admin@INTERN * >Intention is to fix the bug, but keep the change as minimal as >possible.
Then it should be CIl in my opinion. Listing principals is the same as getent passwd, so no additional leaks here. The i ACL allows tracking other users' use of the network. It is thus part of the bug.