Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove allow_constrained_delegation from gssproxy.conf #585

Closed
wants to merge 1 commit into from
Closed

Remove allow_constrained_delegation from gssproxy.conf #585

wants to merge 1 commit into from

Conversation

pvomacka
Copy link

@pvomacka pvomacka commented Mar 14, 2017
edited by MartinBasti

This change reverts option which breaks priviledge separation.

https://pagure.io/freeipa/issue/6225

@simo5
Copy link
Contributor

simo5 commented Mar 14, 2017

Please change commit message to:

The Apache process must not allowed to use constrained delegation to contact services because it is already allowed to impersonate users to itself. Allowing it to perform constrained delegation would let it impersonate any user against the LDAP service without authentication.

simo5
simo5 requested changes Mar 14, 2017
View reviewed changes
Copy link
Contributor

@simo5 simo5 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please change commit message to be very clear about why this is a big issue. Then I'll ack.

Remove allow_constrained_delegation from gssproxy.conf
51aeaec 
The Apache process must not allowed to use constrained delegation to
contact services because it is already allowed to impersonate
users to itself. Allowing it to perform constrained delegation would
let it impersonate any user against the LDAP service without authentication.

https://pagure.io/freeipa/issue/6225
@simo5 simo5 added the ack Pull Request approved, can be merged label Mar 14, 2017
@pvomacka pvomacka mentioned this pull request Mar 14, 2017
Closed
@MartinBasti
Copy link
Contributor

master:

  • f4cd61f Remove allow_constrained_delegation from gssproxy.conf

@MartinBasti MartinBasti added the pushed Pull Request has already been pushed label Mar 14, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@simo5 simo5 simo5 approved these changes

Assignees
No one assigned
Labels
ack Pull Request approved, can be merged pushed Pull Request has already been pushed
Projects
None yet
Milestone
No milestone
3 participants
@pvomacka @simo5 @MartinBasti