The branch, master has been updated via a2c3479 Revert "s4:tls_tstream: allow mode of SSL keyfile to be 0400, not only 0600" from 0dd648a s4:librpc/rpc: remember "ncalrpc_dir" on the dcerpc_pipe->binding
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit a2c34798782a1e4783c258d4e1950a2150d70e18 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Mar 28 10:24:56 2014 +0100 Revert "s4:tls_tstream: allow mode of SSL keyfile to be 0400, not only 0600" This reverts commit 05c1fe50556e2330e23b7efb38e653428b9bdadf. This was discussed here: https://bugzilla.samba.org/show_bug.cgi?id=10392#c11 This generated warnings like: invalid permissions on file '/memdisk/metze/W/b138235/samba/bin/ab/promoted_dc/private/tls/key.pem': has 0600 should be 0400'. I think we need a better way. Maybe file_check_permissions() should get allow_perms and deny_perms. And we would call it with allow_perms = 0400 and deny_perms = 0177. And bits in none of them are ignored. For now we revert this and wait for a better fix. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Stefan Metzmacher <me...@samba.org> Autobuild-Date(master): Fri Mar 28 12:37:17 CET 2014 on sn-devel-104 ----------------------------------------------------------------------- Summary of changes: source4/lib/tls/tls_tstream.c | 5 ++--- 1 files changed, 2 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/lib/tls/tls_tstream.c b/source4/lib/tls/tls_tstream.c index d67f2d9..2cb75ed 100644 --- a/source4/lib/tls/tls_tstream.c +++ b/source4/lib/tls/tls_tstream.c @@ -1113,17 +1113,16 @@ NTSTATUS tstream_tls_params_server(TALLOC_CTX *mem_ctx, } if (file_exist(key_file) && - !file_check_permissions(key_file, geteuid(), 0400, &st) && !file_check_permissions(key_file, geteuid(), 0600, &st)) { DEBUG(0, ("Invalid permissions on TLS private key file '%s':\n" - "owner uid %u should be %u, mode %04o should be %04o or %04o\n" + "owner uid %u should be %u, mode 0%o should be 0%o\n" "This is known as CVE-2013-4476.\n" "Removing all tls .pem files will cause an " "auto-regeneration with the correct permissions.\n", key_file, (unsigned int)st.st_uid, geteuid(), - (unsigned int)(st.st_mode & 0777), 0400, 0600)); + (unsigned int)(st.st_mode & 0777), 0600)); return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } -- Samba Shared Repository