Bug#946797: marked as done (debian-edu-config: kadm5.acl should set proper rights for users)

Debian Bug Tracking System Sat, 21 Dec 2019 08:36:48 -0800

Your message dated Sat, 21 Dec 2019 16:32:44 +0000
with message-id <e1iihgk-0005p3...@fasolo.debian.org>
and subject line Bug#946797: fixed in debian-edu-config 2.10.65+deb10u3
has caused the Debian Bug report #946797,
regarding debian-edu-config: kadm5.acl should set proper rights for users
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
946797: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946797
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: debian-edu-config
Version: 1.812+deb8u1
Severity: important

To improve security, settings in kadm5.acl should be adjusted.

The needed fix is minimal:

--- a/share/debian-edu-config/tools/kerberos-kdc-init
+++ b/share/debian-edu-config/tools/kerberos-kdc-init
@@ -187,7 +187,7 @@ EOF
     if [ ! -f /etc/krb5kdc/kadm5.acl ] ; then
        cat > /etc/krb5kdc/kadm5.acl <<EOF
 root/admin@INTERN *
-*@INTERN cil
+*@INTERN Cil
 */*@INTERN i
 EOF
     chmod 644 /etc/krb5kdc/kadm5.acl

Thanks to Andreas B. Mundt for the hint.

Also, /etc/krb5kdc/kadm5.acl should be fixed accordingly upon upgrades
by adding something like this to debian-edu-config.postinst:

[configure case]
     fi
+
+    # Set proper rights for users.
+    if [ -f /etc/krb5kdc/kadm5.acl ] ; then
+        sed -i 's/cil/Cil/' /etc/krb5kdc/kadm5.acl
+    fi
     ;;
 esac

Wolfgang

signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message ---

Source: debian-edu-config
Source-Version: 2.10.65+deb10u3

We believe that the bug you reported is fixed in the latest version of
debian-edu-config, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 946...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominik George <naturesha...@debian.org> (supplier of updated debian-edu-config 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 16 Dec 2019 16:29:19 +0100
Source: debian-edu-config
Architecture: source
Version: 2.10.65+deb10u3
Distribution: buster-security
Urgency: high
Maintainer: Debian Edu Developers <debian-edu@lists.debian.org>
Changed-By: Dominik George <naturesha...@debian.org>
Closes: 946797
Changes:
 debian-edu-config (2.10.65+deb10u3) buster-security; urgency=high
 .
   * Security fix for CVE-2019-3467
 .
   [ Wolfgang Schweer ]
   * share/debian-edu-config/tools/kerberos-kdc-init:
     - Set proper rights for users in kadm5.acl file. (Closes: #946797)
   * Adjust debian/debian-edu-config.postinst to fix kadm5.acl upon upgrades.
 .
   [ Holger Levsen ]
   * Improve debian/debian-edu-config.postinst fix to only run once on
     upgrades.
 .
   [ Dominik George ]
   * Add NEWS to warn administrators with possible local changes.
Checksums-Sha1:
 c8d1697ca57aa596b5a9be450c5bb01621c6417a 2019 
debian-edu-config_2.10.65+deb10u3.dsc
 fdc366af82ac76bc960faa079885297b52f9d891 345320 
debian-edu-config_2.10.65+deb10u3.tar.xz
 bbba6e68d16e31013ccd37a7faa1c2efe12e11b1 5824 
debian-edu-config_2.10.65+deb10u3_amd64.buildinfo
Checksums-Sha256:
 9993c2b690261ef72409bee9674ec187ad58f41583a0b0a256aa5cc64e8aaf86 2019 
debian-edu-config_2.10.65+deb10u3.dsc
 aaf5a4130d2a032d5e56eac5aa63629d5f9ed08366e6df4f0f95eb8e923aa4ed 345320 
debian-edu-config_2.10.65+deb10u3.tar.xz
 311b91ce88fd4a26b45f9bb7752257a0de26e03c582c5088039374c867605ec4 5824 
debian-edu-config_2.10.65+deb10u3_amd64.buildinfo
Files:
 0bbc77ad3bfa657431b7216d4c2996cd 2019 misc optional 
debian-edu-config_2.10.65+deb10u3.dsc
 d38c7dd2f8ee6f4804f5e177bcbb74cd 345320 misc optional 
debian-edu-config_2.10.65+deb10u3.tar.xz
 da0f8ddd45485c45f287201756165264 5824 misc optional 
debian-edu-config_2.10.65+deb10u3_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJlBAEBCgBPFiEEPJ1UpHV1wCb7F/0mt5o8FqDE8pYFAl35Dx8xGmh0dHBzOi8v
d3d3LmRvbWluaWstZ2VvcmdlLmRlL2dwZy1wb2xpY3kudHh0LmFzYwAKCRC3mjwW
oMTylim4D/9Nt1XbDfCh3QLu4IFHH87WKqmeJvR/zPWf7Qz3u4jV26TC7KwPwPSA
/EInc9VGafb0qPjCv80iVqygLHp5YVKC1K2h4Q7xxNUJz/WktyGM52IJJY83PrfK
PWNPCNrJ8WFDR8o2OJhNbchAX8nGvbw/mD7n2Vf4jcTEQrZE8o7ZLeGo2iluPXMf
BxPsQtna2tFF0pYgqcNe28hzWqDQurfwKYMRANxWNKbfetqDXgnKqJ6QBokKDGoS
VwSMepogM4RqQxPcH1E9/lXPzKYZY1EXqFR+lOWPF9X4LC38oTHQvgwVIAz3Vt93
b0ABi4IwxFKdYWcN/9oaWAyEr0rE3e6Ckpo/dAGBnCXti/homGT/+/XdBS85Vi37
3u5TDqRd3RJmkIQjFvo6bzE5XdNR+CVnh5+ioNsSKmaxsSKBjVAkqCDfowmWZL1B
FNKmRpX99cUdsJhGJ2ASyEl148pRxwU9tR8nVU72rx9L1oq3gWGsptYsPoi8LTwM
aS+v1qz3eYOrrkpqKv2YL3oSIVnUlxHZnnSzDbj5b7nQjqGnBh2SryXgnlxWfPGw
fmlZB8LxtoFxTejb45yz45ciyRNBYeYJX2CHsCx0Vfql/ZMVL9aXfyYgwuCpusuG
2DagMRMNBGV7a/lLVULqoQyyukUfiGNxPTUuM5M3uqPBtox2EQUNww==
=/iWq
-----END PGP SIGNATURE-----

--- End Message ---

Bug#946797: marked as done (debian-edu-config: kadm5.acl should set proper rights for users)

Reply via email to