Do not be over-restrictive in the presence of UAC
We used to explicitly check if a process was UAC-limited and deny all access to the TGT in that case; however, this makes the MSLSA cache effectively useless. Do not try to outsmart UAC, and let it do its own checking -- this allows UAC-limited access to the MSLSA ccache, which should mean read-write access to service tickets, and write-only access to the TGT. Signed-off-by: Kevin Wasserman <[email protected]> [[email protected]: delete instead of comment out, move comment.] https://github.com/krb5/krb5/commit/8020c64554dd25a4f09df8a28dca924c6ecb5608 Author: Kevin Wasserman <[email protected]> Committer: Ben Kaduk <[email protected]> Commit: 8020c64554dd25a4f09df8a28dca924c6ecb5608 Branch: master src/lib/krb5/ccache/cc_mslsa.c | 43 +++------------------------------------ 1 files changed, 4 insertions(+), 39 deletions(-) _______________________________________________ kfwdev mailing list [email protected] http://mailman.mit.edu/mailman/listinfo/kfwdev
