Well, this is embarassing. In testing this evening, I discovered that there is a logic bug in the ACL checking in remctl that caused a missing ACL file to be interpreted as successful authorization rather than failure. In other words, if in your configuration you protected a command with an ACL file that didn't exist (even if multiple ACL files were listed and the others did exist), any authenticated user would have access to run that command.
If all the ACL files exist, the ACL checking works properly, which is why I'd not noticed this bug. In addition to the logic bug, it was a coverage flaw in the test suite, which has now been remedied. This bug was probably introduced around remctl 1.11 when include support in ACL files was added. I've released version 2.6 of remctl to fix this problem. Changes from previous release: SECURITY: If an ACL listed for a command didn't exist, the authorization check was treated as a success instead of a failure. This had, embarassingly, apparently been broken since at least 2.0. You can download it from: <http://www.eyrie.org/~eagle/software/remctl/> The version of remctl in Debian stable is not affected. The version in Debian testing is affected, and I will be uploading a minimal security fix to Debian unstable later this evening. You can also get 2.6 packages for both Debian unstable/testing and Debian stable from my personal repository. See: <http://www.eyrie.org/~eagle/software/debian.html> for more information. Apologies for this. It was a particularly stupid mistake on my part. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos