On Mon, Dec 16, 2019 at 04:58:32PM +0100, Dominik George wrote:
> > Wolfgang, many thanks for this bug report and the quick fix.
> > I'll upload to unstable right now and will coordinate with DSA and LTS
> > the fixes for buster, stretch and jessie.
> Are you aware that, as laid out on IRC, I am
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi,
> Wolfgang, many thanks for this bug report and the quick fix.
> I'll upload to unstable right now and will coordinate with DSA and LTS
> the fixes for buster, stretch and jessie.
Are you aware that, as laid out on IRC, I am already doing
On Mon, Dec 16, 2019 at 12:26:57AM +0100, Wolfgang Schweer wrote:
> Also, /etc/krb5kdc/kadm5.acl should be fixed accordingly upon upgrades
> by adding something like this to debian-edu-config.postinst:
>
> [configure case]
> fi
> +
> +# Set proper rights for users.
> +if [ -f
Hi,
Wolfgang, many thanks for this bug report and the quick fix.
I'll upload to unstable right now and will coordinate with DSA and LTS
the fixes for buster, stretch and jessie.
On Mon, Dec 16, 2019 at 11:05:33AM +0100, Dominik George wrote:
> > Severity: important
> I propose this bug to be set
On Mon, Dec 16, 2019 at 01:09:53PM +0100, Dominik George wrote:
> Also, I'd propose to turn the sed command into:
>
> sed -i 's/\(\*@INTERN[[:space:]]*\)cil/\1CIl/' /etc/krb5kdc/kadm5.acl
>
> This way, it will not destroy any legitimate additions a local admin made.
Good point. Thanks,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On Mon, Dec 16, 2019 at 12:13:49PM +0100, Wolfgang Schweer wrote:
> On Mon, Dec 16, 2019 at 11:33:28AM +0100, Dominik George wrote:
> > >> Why not just remove that line?
> > >
> > >The only line needed is: root/admin@INTERN *
> > >Intention is to
On Mon, Dec 16, 2019 at 11:33:28AM +0100, Dominik George wrote:
> >> Why not just remove that line?
> >
> >The only line needed is: root/admin@INTERN *
> >Intention is to fix the bug, but keep the change as minimal as
> >possible.
> Then it should be CIl in my opinion. Listing principals is the
>> > root/admin@INTERN *
>> > -*@INTERN cil
>> > +*@INTERN Cil
>> > */*@INTERN i
>> > EOF
>> > chmod 644 /etc/krb5kdc/kadm5.acl
>>
>> Why not just remove that line?
>
>The only line needed is: root/admin@INTERN *
>Intention is to fix the bug, but keep the change as minimal as
>possible.
On Mon, Dec 16, 2019 at 11:05:33AM +0100, Dominik George wrote:
> > root/admin@INTERN *
> > -*@INTERN cil
> > +*@INTERN Cil
> > */*@INTERN i
> > EOF
> > chmod 644 /etc/krb5kdc/kadm5.acl
>
> Why not just remove that line?
The only line needed is: root/admin@INTERN *
Intention is to fix
Hi,
> Severity: important
I propose this bug to be set to severity critical and handled by DSA. After
all, it is a local impersonation and root privilege escalation bug, if not
remote if you consider clients scattered out over a school remote.
>
> To improve security, settings in kadm5.acl
Package: debian-edu-config
Version: 1.812+deb8u1
Severity: important
To improve security, settings in kadm5.acl should be adjusted.
The needed fix is minimal:
--- a/share/debian-edu-config/tools/kerberos-kdc-init
+++ b/share/debian-edu-config/tools/kerberos-kdc-init
@@ -187,7 +187,7 @@ EOF
11 matches
Mail list logo
