Bug#946797: marked as done (debian-edu-config: kadm5.acl should set proper rights for users)

Debian Bug Tracking System Sat, 21 Dec 2019 08:36:37 -0800

Your message dated Sat, 21 Dec 2019 16:33:58 +0000
with message-id <e1iihhw-0006dw...@fasolo.debian.org>
and subject line Bug#946797: fixed in debian-edu-config 1.929+deb9u4
has caused the Debian Bug report #946797,
regarding debian-edu-config: kadm5.acl should set proper rights for users
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
946797: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946797
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: debian-edu-config
Version: 1.812+deb8u1
Severity: important

To improve security, settings in kadm5.acl should be adjusted.

The needed fix is minimal:

--- a/share/debian-edu-config/tools/kerberos-kdc-init
+++ b/share/debian-edu-config/tools/kerberos-kdc-init
@@ -187,7 +187,7 @@ EOF
     if [ ! -f /etc/krb5kdc/kadm5.acl ] ; then
        cat > /etc/krb5kdc/kadm5.acl <<EOF
 root/admin@INTERN *
-*@INTERN cil
+*@INTERN Cil
 */*@INTERN i
 EOF
     chmod 644 /etc/krb5kdc/kadm5.acl

Thanks to Andreas B. Mundt for the hint.

Also, /etc/krb5kdc/kadm5.acl should be fixed accordingly upon upgrades
by adding something like this to debian-edu-config.postinst:

[configure case]
     fi
+
+    # Set proper rights for users.
+    if [ -f /etc/krb5kdc/kadm5.acl ] ; then
+        sed -i 's/cil/Cil/' /etc/krb5kdc/kadm5.acl
+    fi
     ;;
 esac

Wolfgang

signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message ---

Source: debian-edu-config
Source-Version: 1.929+deb9u4

We believe that the bug you reported is fixed in the latest version of
debian-edu-config, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 946...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominik George <naturesha...@debian.org> (supplier of updated debian-edu-config 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 17 Dec 2019 18:38:50 +0100
Source: debian-edu-config
Binary: debian-edu-config
Architecture: source
Version: 1.929+deb9u4
Distribution: stretch-security
Urgency: high
Maintainer: Debian Edu Developers <debian-edu@lists.debian.org>
Changed-By: Dominik George <naturesha...@debian.org>
Description:
 debian-edu-config - Configuration files for Skolelinux systems
Closes: 946797
Changes:
 debian-edu-config (1.929+deb9u4) stretch-security; urgency=high
 .
   * Security fix for CVE-2019-3467
 .
   [ Wolfgang Schweer ]
   * share/debian-edu-config/tools/kerberos-kdc-init:
     - Set proper rights for users in kadm5.acl file. (Closes: #946797)
   * Adjust debian/debian-edu-config.postinst to fix kadm5.acl upon upgrades.
 .
   [ Holger Levsen ]
   * Improve debian/debian-edu-config.postinst fix to only run once on
     upgrades.
 .
   [ Dominik George ]
   * Add NEWS to warn administrators with possible local changes.
Checksums-Sha1:
 8b729d7257d08386744143610020e874232f61fa 1940 
debian-edu-config_1.929+deb9u4.dsc
 6bfe3fab7764f30a92e8f05dbc0f0baad0436fc1 386320 
debian-edu-config_1.929+deb9u4.tar.xz
 8f529c0c287558fb84711bc1bd4f7fa88fbcc43c 6090 
debian-edu-config_1.929+deb9u4_amd64.buildinfo
Checksums-Sha256:
 2ef1f0325d7d5fda92405fcb8d4fd27ca70d6fab87d4953dbbeaab1f35078a38 1940 
debian-edu-config_1.929+deb9u4.dsc
 a9b8d47a36c52d9ddd4b5196dd50ebc4ce10401271589756bc15f369c101a84d 386320 
debian-edu-config_1.929+deb9u4.tar.xz
 bb42c1eb191ad13315c3ee30da6d6f0e570cc4e5bff8f4860fde4b2d471603f1 6090 
debian-edu-config_1.929+deb9u4_amd64.buildinfo
Files:
 034169c8ac0215a3d1911f664835fc39 1940 misc extra 
debian-edu-config_1.929+deb9u4.dsc
 da4b1c3cc66f240fa0afe60168c636d7 386320 misc extra 
debian-edu-config_1.929+deb9u4.tar.xz
 1d6246d480b8641ddea6b6dd4faa666b 6090 misc extra 
debian-edu-config_1.929+deb9u4_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJlBAEBCgBPFiEEPJ1UpHV1wCb7F/0mt5o8FqDE8pYFAl3589cxGmh0dHBzOi8v
d3d3LmRvbWluaWstZ2VvcmdlLmRlL2dwZy1wb2xpY3kudHh0LmFzYwAKCRC3mjwW
oMTyliVqD/9gftFKEPsLrkqgnkie2d5y/J763Pajao2iHCQnWuvVPgOy3Jkj8Mlg
jTbkVpaqkM4lMR5+3xtNViKizsGdRbE3qae/Aij+iEkOQaS97fWjDKjPY9mwHnL9
nHBkEzl3V3aGuIU/eWidsHTQQSNyqulDLKFWAsKvDBJEknR2l/nyVcEdQZcZAP/t
LyXrbLY8gEO2hFYPVICLFwkjsty5Guk2LnKsRVbdLRPTQoU89kblhOBAy7Z9JmxB
8E9JzgXYtGjGDUkCGQQohya696ImDL/4vA+gkZZax4i6p46CeLWfPRPmhz755aUD
P1PMUVizggigHRtfCWtf1V1xOP5x1zXjIYOWT2XVH6gUiDdMvX05hiGmqq1FkIi7
8tq99IQ+PsJ3WxRA1oKMoWTkfPJBs4aFQtJ0rAfcxcFFESDVPl7tPW8lnz9M647n
h73ddyjuzfvRBS3DnPmfs/bKVA1QPK91QBRTlkVnViABLGeGV9DKA9GWyLd89oI8
9WGpXENUnNOY9ppIGjZlRZnkOmlbIVp0C4NwPhuNBtZNX9YtLtxl+86xShDDW06+
VpbaxLaFMDAEUfhW6Q6epfrNX7608oADR15pLBOoHUZcOJD7ycYvt3aCx2/IQElP
SKQ3UYUCmuWm+L02tKol7MJBI70B+88AxOyg+GOICEJnWrN8NceMXA==
=tMNo
-----END PGP SIGNATURE-----

--- End Message ---

Bug#946797: marked as done (debian-edu-config: kadm5.acl should set proper rights for users)

Reply via email to