>On Fri, Jun 10, 2016 at 09:31:47PM +0200, Simon Ruderich wrote: >> Instead of installing the helper as setuid one could also install >> it as setgid with a specific kerberos group which can read the >> keytab. Then in the worst case the keytab is compromised. The >> existing patch supports this approach.
Any objections against using it as setgid instead of setuid? This would work fine as well and prevent serious privilege escalation. Regards Simon -- + privacy is necessary + using gnupg http://gnupg.org + public key id: 0x1972F726F0D556E7
signature.asc
Description: Digital signature
