[krbdev.mit.edu #8542] Check for k5login permission
Sam Hartman via RT
rt-comment at krbdev.mit.edu
Wed Feb 1 12:15:08 EST 2017
>>>>> "sandeep" == sandeep umesh via RT <rt-comment at krbdev.mit.edu> writes:
sandeep> Basically, in userok_k5login function, we do have a check
sandeep> to verify if .k5login file is owned either by the user or
sandeep> root. Can we also have a additional check to verify the
sandeep> permissions of this file to be at 600 ?
I actually object to the similar check in ssh and would object to it
being added for k5login.
I've found cases where allowing posix acls or groups to update the set
of users who are permitted to become a particular shared role account is
very useful.
I understand that it means you have to set the permissions right, but
there are legitimate cases for giving other users write access to an acl
like .k5login.
More information about the krb5-bugs
mailing list