The Samba-Bugzilla – Attachment 8181 Details for
Bug 9379
[SECURITY] ntp_signd permissions are too broad
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Only allow group (eg ntp) access to the ntp_signd socket.
0002-ntp_signd-Only-allow-group-access-to-the-ntp-signd-d.patch (text/plain), 1.69 KB, created by
Andrew Bartlett
on 2012-11-11 23:30:31 UTC
(
hide
)
Description:
Only allow group (eg ntp) access to the ntp_signd socket.
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2012-11-11 23:30:31 UTC
Size:
1.69 KB
patch
obsolete
>From 9600647ffd9467d136272571196ce322dd1c6af3 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Sun, 11 Nov 2012 21:32:22 +1100 >Subject: [PATCH 2/2] ntp_signd: Only allow group access to the ntp signd > directory. > >Existing installations running ntp as group 'ntp' will need to change >the permissions on the ntp_signd socket directory (eg >PREFIX/lib/ntp_signd or /var/lib/samba/ntp_signd) > >The reason is that allowing other users on the host access to this >directory would allow them to potentially spoof time on the network, >or attack the password database with a chosen plaintext attack. > >Permissions should be changed to: > >ownership root:ntp (if ntp runs as gid ntp) >mode 0750 (this is what it will be created as) > >If the permissions are not changed, Samba will refuse to start the >ntp_signd server, and NTP operations will not be signed. As the error >is declared fatal, in the future, Samba may totally refused to start. > >Andrew Bartlett >--- > source4/ntp_signd/ntp_signd.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/source4/ntp_signd/ntp_signd.c b/source4/ntp_signd/ntp_signd.c >index 1de9cc3..0c3899f 100644 >--- a/source4/ntp_signd/ntp_signd.c >+++ b/source4/ntp_signd/ntp_signd.c >@@ -498,7 +498,7 @@ static void ntp_signd_task_init(struct task_server *task) > > const char *address; > >- if (!directory_create_or_exist(lpcfg_ntp_signd_socket_directory(task->lp_ctx), geteuid(), 0755)) { >+ if (!directory_create_or_exist(lpcfg_ntp_signd_socket_directory(task->lp_ctx), geteuid(), 0750)) { > char *error = talloc_asprintf(task, "Cannot create NTP signd pipe directory: %s", > lpcfg_ntp_signd_socket_directory(task->lp_ctx)); > task_server_terminate(task, >-- >1.7.11.7 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=8181">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
abartlet
:
review?
(
jelmer
)
obnox
:
review+
Actions:
View
Attachments on
bug 9379
:
8180
| 8181