]> git.ipfire.org Git - thirdparty/krb5.git/commit
projects / thirdparty / krb5.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 8bdedee) | patch
Do not be over-restrictive in the presence of UAC
authorKevin Wasserman <kevin.wasserman@painless-security.com>
Mon, 14 May 2012 16:14:20 +0000 (12:14 -0400)
committerTom Yu <tlyu@mit.edu>
Mon, 27 Aug 2012 23:27:32 +0000 (19:27 -0400)
commit4e52b28c39bc48c3cad60ae833156061a0ae9b02
tree454e0d0a44013f7775808938eb06f5e0e3824649tree
parent8bdedeedad2fda5cacdce083ae1305cb368226fbcommit | diff
Do not be over-restrictive in the presence of UAC

We used to explicitly check if a process was UAC-limited and deny all
access to the TGT in that case; however, this makes the MSLSA cache
effectively useless.
Do not try to outsmart UAC, and let it do its own checking -- this allows
UAC-limited access to the MSLSA ccache, which should mean read-write
access to service tickets, and write-only access to the TGT.

Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
[kaduk@mit.edu: delete instead of comment out, move comment.]

(cherry picked from commit 8020c64554dd25a4f09df8a28dca924c6ecb5608)

ticket: 7254
status: resolved
src/lib/krb5/ccache/cc_mslsa.c diff | blob | blame | history
Mirror of https://github.com/krb5/krb5.git