The Samba-Bugzilla – Attachment 9623 Details for
Bug 10392
TLS private key permissions
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
updated patch, added signed-off-by
bug10392.patch (text/plain), 1.59 KB, created by
Michael Brown (dead mail address)
on 2014-01-30 20:38:26 UTC
(
hide
)
Description:
updated patch, added signed-off-by
Filename:
MIME Type:
Creator:
Michael Brown (dead mail address)
Created:
2014-01-30 20:38:26 UTC
Size:
1.59 KB
patch
obsolete
>From 784a1e8ebc7764e7f2b348f9e67d3ff73a8731ba Mon Sep 17 00:00:00 2001 >From: Michael Brown <michael@netdirect.ca> >Date: Wed, 22 Jan 2014 03:23:12 +0000 >Subject: [PATCH] s4:tls_tstream: allow mode of SSL keyfile to be 0400, not > only 0600 > >Signed-off-by: Michael Brown <michael@netdirect.ca> >--- > source4/lib/tls/tls_tstream.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > >diff --git a/source4/lib/tls/tls_tstream.c b/source4/lib/tls/tls_tstream.c >index 2cb75ed..d67f2d9 100644 >--- a/source4/lib/tls/tls_tstream.c >+++ b/source4/lib/tls/tls_tstream.c >@@ -1113,16 +1113,17 @@ NTSTATUS tstream_tls_params_server(TALLOC_CTX *mem_ctx, > } > > if (file_exist(key_file) && >+ !file_check_permissions(key_file, geteuid(), 0400, &st) && > !file_check_permissions(key_file, geteuid(), 0600, &st)) > { > DEBUG(0, ("Invalid permissions on TLS private key file '%s':\n" >- "owner uid %u should be %u, mode 0%o should be 0%o\n" >+ "owner uid %u should be %u, mode %04o should be %04o or %04o\n" > "This is known as CVE-2013-4476.\n" > "Removing all tls .pem files will cause an " > "auto-regeneration with the correct permissions.\n", > key_file, > (unsigned int)st.st_uid, geteuid(), >- (unsigned int)(st.st_mode & 0777), 0600)); >+ (unsigned int)(st.st_mode & 0777), 0400, 0600)); > return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; > } > >-- >1.7.9.5
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 10392
:
9608
|
9622
| 9623 |
9634
|
9635